ClearFoundation Tracker - ClearOS
View Issue Details
0000221ClearOSapp-password-policies - Password Policiespublic2011-01-06 02:132012-12-04 09:43
timb80 
user2 
normalmajoralways
closedfixed 
5.2-SP1 
6.3.0 
0000221: Spambot dictionary based attempts with SMTP server authentication enabled results in LDAP account lockout
When the SMTP server is enabled with authentication, it no longer considers the trusted network settings to restrict authentication requests.

This means that the SMTP server will try and authenticate against LDAP when spam bots attempt to use the relay with common usernames, such as admin, info, test, mail...etc.

The LDAP password policy is set to block after 5No. failed attempts, and with zero (i.e. inifinte) duration for the block. This means a spam bot will inadvertently lock out common user accounts - so when the user next logs on it will no accept their password.

(Aside - entering the wrong password in Outlook and storing it can also cause lockout as it will attempt 5+ times when opening to log in!)

Please can we:-
- Have a facility to change the parameters from the webconfig (can be adjusted by LDAP manager)
- Have the facility to unblock an account from the webconfig without having to reset the password
AND/OR Change the default duration to 600 second (10mins) lockout duration
increase the failure limit to around 10 as the intrusion detection service does handle SMTP abuse with a specific SMTP rule
Forum thread details are here:-
http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/catid,14/func,view/id,21867/limit,10/limitstart,30/#22665 [^]
LDAP details here
http://www.zytrax.com/books/ldap/ch6/ppolicy.html#account-unlock [^]

Two work arounds
1. disable SMTP authentication and use email only from the trusted networks - but this isn't practical for everyone.
2. use more cryptic / unusual usernames, and then create an alias that points to that user.
No tags attached.
Issue History
2011-01-06 02:13timb80New Issue
2011-01-06 09:54user2Statusnew => confirmed
2011-01-26 10:16timb80Note Added: 0000332
2011-01-26 10:18timb80Note Edited: 0000332
2012-12-04 09:43user2Note Added: 0000605
2012-12-04 09:43user2Statusconfirmed => resolved
2012-12-04 09:43user2Fixed in Version => 6.3.0
2012-12-04 09:43user2Resolutionopen => fixed
2012-12-04 09:43user2Assigned To => user2
2012-12-04 09:43user2Statusresolved => closed

Notes
(0000332)
timb80   
2011-01-26 10:16   
(edited on: 2011-01-26 10:18)
The webconfig defaults are here - applied after updating the policy settings in the webconfig

/var/webconfig/api/LdapPasswordPolicy.class.php
Lines
171 $policy_attributes['pwdLockout'] = 'TRUE';
172 $policy_attributes['pwdLockoutDuration'] = '0';
173 $policy_attributes['pwdMaxAge'] = '0';
174 $policy_attributes['pwdMaxFailure'] = '5';

(0000605)
user2   
2012-12-04 09:43   
3 things were done to mitigate this problem:

1) the lockout duration was changed to 10 minutes
2) SMTP rules were added to the IDS/IPS system
3) the "Account Lockout" feature can now be enabled/disabled