Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » SMTP password guessing attempts not being blocked (Anti-hammering protection not being triggered )
  •  
jimmonteath

Messages: 9
Karma: 1
Send a private message to this user
The anti-hammering feature appears to be enabled with default settings, yet we still see repeated SMTP password guessing attempts in a single session.

I interpret the defaults to mean that more that 10 failed login attempts in 60 seconds will block the IP for 5 minutes. We see 10 failed logins in 40 seconds. These eventually cross the "SMTP failed commands" threshold (11) but that does not prevent immediate reconnection. We do block the offending IP addresses on our firewall, but this is usually after the fact.

Our settings and related log entries are below. Any suggestions for why anti-hammering isn't being triggered? Kerio Connect V8.1.2

Thanks,
Jim

Administration Console -> Configuration:

Advanced Options -> Login guessing protection:
- Block IP addresses suspicious of password guessing attacks = enabled.
- Never block this IP address group = "Local clients". Offending IP addresses are not in this group.

SMTP Server -> Security Options:
- Max. number of failed commands in a SMTP session = 11 (intentionally set high to allow anti-hammering protection)

mailserver.cfg

<table name="AntiHammering">
  <variable name="Pop3Enabled">1</variable>
  <variable name="ImapEnabled">1</variable>
  <variable name="HttpEnabled">1</variable>
  <variable name="SmtpEnabled">1</variable>
  <variable name="LdapEnabled">1</variable>
  <variable name="NntpEnabled">1</variable>
  <variable name="XmppEnabled">1</variable>
  <variable name="FailedLogins">10</variable>
  <variable name="CheckTime">60</variable>
  <variable name="BlockTime">300</variable>
  <variable name="SafeAcl">Local Clients</variable>
</table


  • Attachment: security.log
    (Size: 1.04KB, Downloaded 223 times)
  • Attachment: debug.log
    (Size: 3.85KB, Downloaded 259 times)
  •  
jimmonteath

Messages: 9
Karma: 1
Send a private message to this user
Submitted as a Support Ticket.
  •  
jimmonteath

Messages: 9
Karma: 1
Send a private message to this user
I have been advised by Technical Support that anti-hammering only protects against plaintext login attempts for SMTP. It does not block SASL authentication attempts. I cannot find this limitation documented anywhere public.

Unfortunately, this makes the feature useless to us. We are not going to compromise login security in order to gain anti-hammering protection.

Apparently Kerio have a suggestion on file for expanding the anti-hammering feature to also protect again SASL authentication. I have also posted this as a suggestion and would appreciate your votes.
  •  
Machete

Messages: 262
Karma: 5
Send a private message to this user
I know this issue has been discussed atleast a few times over the last 8 years, in addition to this most recent topic - (and thanks for the suggestion @jimmonteath)

http://forums.kerio.com/t/5227/failed-smtp-login-attempts-ho w-to-control-
http://forums.kerio.com/t/18540/failed-smtp-login
http://forums.kerio.com/t/24622/security-breaches

I've recently started seeing (again):
[30/May/2014 06:43:41] Failed SMTP login from static-98-109-127-11.nwrknj.fios.verizon.net with SASL method LOGIN.

In all the threads, I see little to no feedback or acknowledgement from Kerio. Does Kerio have any suggestions on how to configure Connect to help prevent these attempts?

As other users have stated, I can block their IPs at the firewall, but this is all after the fact. I'm looking for something to trigger a block while the attempts are happening.
  •  
Neil Whiteside (Kerio)

Messages: 317

Karma: 35
Send a private message to this user
Our development team have indicated that this is in our plans for Kerio Connect v8.5

Obviously the final spec of a release can change, but it is currently on our roadmap.


Knowledge Base: http://kb.kerio.com/.
Looking for technical support? http://www.kerio.com/support
  •  
NickySmith

Messages: 3
Karma: 0
Send a private message to this user
[08/Nov/2014 01:03:39] Failed SMTP login from 198.46.135.74 with SASL method LOGIN.
[08/Nov/2014 01:03:39] SMTP: User admin<_at_>carolinanet.com doesn't exist. Attempt from IP address 198.46.135.74.
[08/Nov/2014 01:03:45] Failed SMTP login from 198.46.135.74 with SASL method LOGIN.
[08/Nov/2014 01:03:45] SMTP server connection from 198.46.135.74 closed after 3 bad commands
[08/Nov/2014 01:04:11] SMTP: User admin<_at_>carolinanet.com doesn't exist. Attempt from IP address 198.46.135.74.
[08/Nov/2014 01:04:17] Failed SMTP login from 198.46.135.74 with SASL method LOGIN.
[08/Nov/2014 01:04:17] SMTP: User admin<_at_>carolinanet.com doesn't exist. Attempt from IP address 198.46.135.74.
[08/Nov/2014 01:04:23] Failed SMTP login from 198.46.135.74 with SASL method LOGIN.
[08/Nov/2014 01:04:23] SMTP: User admin<_at_>carolinanet.com doesn't exist. Attempt from IP address 198.46.135.74.

This option is needed to block ranges of IPs that are attempting to dictionary attack user passwords. Is v8.5 is the faraway future, or near. If faraway we can block IP another way but if v8.5 is soon we will wait as this is the best way to achieve this goal and continuing issue.
  •  
hello

Messages: 58
Karma: 0
Send a private message to this user
Any update on this feature since we are now have KC v9.0.4 and it still does not seem to block these attempts or am I missing something?

I did see these KB articles: http://kb.kerio.com/1167 and http://kb.kerio.com/1439

[Updated on: Sun, 22 May 2016 17:10]

  •  
Justice

Messages: 15
Karma: 0
Send a private message to this user
Bump. I would like to see a solution for this as well. Could someone from the Kerio support team please respond?
Previous Topic: Setting time of scheduling email delivery
Next Topic: Kerio updater uninstall
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Dec 11 14:44:23 CET 2016

Total time taken to generate the page: 0.01006 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.