ClearOS Bug Tracker


View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000221ClearOSapp-password-policies - Password Policiespublic2011-01-06 02:132012-12-04 09:43
Reportertimb80 
Assigned Touser2 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version5.2-SP1 
Target VersionFixed in Version6.3.0 
Summary0000221: Spambot dictionary based attempts with SMTP server authentication enabled results in LDAP account lockout
DescriptionWhen the SMTP server is enabled with authentication, it no longer considers the trusted network settings to restrict authentication requests.

This means that the SMTP server will try and authenticate against LDAP when spam bots attempt to use the relay with common usernames, such as admin, info, test, mail...etc.

The LDAP password policy is set to block after 5No. failed attempts, and with zero (i.e. inifinte) duration for the block. This means a spam bot will inadvertently lock out common user accounts - so when the user next logs on it will no accept their password.

(Aside - entering the wrong password in Outlook and storing it can also cause lockout as it will attempt 5+ times when opening to log in!)

Please can we:-
- Have a facility to change the parameters from the webconfig (can be adjusted by LDAP manager)
- Have the facility to unblock an account from the webconfig without having to reset the password
AND/OR Change the default duration to 600 second (10mins) lockout duration
increase the failure limit to around 10 as the intrusion detection service does handle SMTP abuse with a specific SMTP rule
Additional InformationForum thread details are here:-
http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/catid,14/func,view/id,21867/limit,10/limitstart,30/#22665 [^]
LDAP details here
http://www.zytrax.com/books/ldap/ch6/ppolicy.html#account-unlock [^]

Two work arounds
1. disable SMTP authentication and use email only from the trusted networks - but this isn't practical for everyone.
2. use more cryptic / unusual usernames, and then create an alias that points to that user.
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
(0000332)
timb80 (developer)
2011-01-26 10:16
edited on: 2011-01-26 10:18

The webconfig defaults are here - applied after updating the policy settings in the webconfig

/var/webconfig/api/LdapPasswordPolicy.class.php
Lines
171 $policy_attributes['pwdLockout'] = 'TRUE';
172 $policy_attributes['pwdLockoutDuration'] = '0';
173 $policy_attributes['pwdMaxAge'] = '0';
174 $policy_attributes['pwdMaxFailure'] = '5';

(0000605)
user2
2012-12-04 09:43

3 things were done to mitigate this problem:

1) the lockout duration was changed to 10 minutes
2) SMTP rules were added to the IDS/IPS system
3) the "Account Lockout" feature can now be enabled/disabled

- Issue History
Date Modified Username Field Change
2011-01-06 02:13 timb80 New Issue
2011-01-06 09:54 user2 Status new => confirmed
2011-01-26 10:16 timb80 Note Added: 0000332
2011-01-26 10:18 timb80 Note Edited: 0000332
2012-12-04 09:43 user2 Note Added: 0000605
2012-12-04 09:43 user2 Status confirmed => resolved
2012-12-04 09:43 user2 Fixed in Version => 6.3.0
2012-12-04 09:43 user2 Resolution open => fixed
2012-12-04 09:43 user2 Assigned To => user2
2012-12-04 09:43 user2 Status resolved => closed