Anonymous | Login | 2024-12-22 00:29 MST |
Main | My View | View Issues | Change Log | Roadmap | Repositories |
View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||
0000221 | ClearOS | app-password-policies - Password Policies | public | 2011-01-06 02:13 | 2012-12-04 09:43 | ||||
Reporter | timb80 | ||||||||
Assigned To | user2 | ||||||||
Priority | normal | Severity | major | Reproducibility | always | ||||
Status | closed | Resolution | fixed | ||||||
Platform | OS | OS Version | |||||||
Product Version | 5.2-SP1 | ||||||||
Target Version | Fixed in Version | 6.3.0 | |||||||
Summary | 0000221: Spambot dictionary based attempts with SMTP server authentication enabled results in LDAP account lockout | ||||||||
Description | When the SMTP server is enabled with authentication, it no longer considers the trusted network settings to restrict authentication requests. This means that the SMTP server will try and authenticate against LDAP when spam bots attempt to use the relay with common usernames, such as admin, info, test, mail...etc. The LDAP password policy is set to block after 5No. failed attempts, and with zero (i.e. inifinte) duration for the block. This means a spam bot will inadvertently lock out common user accounts - so when the user next logs on it will no accept their password. (Aside - entering the wrong password in Outlook and storing it can also cause lockout as it will attempt 5+ times when opening to log in!) Please can we:- - Have a facility to change the parameters from the webconfig (can be adjusted by LDAP manager) - Have the facility to unblock an account from the webconfig without having to reset the password AND/OR Change the default duration to 600 second (10mins) lockout duration increase the failure limit to around 10 as the intrusion detection service does handle SMTP abuse with a specific SMTP rule | ||||||||
Additional Information | Forum thread details are here:- http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/catid,14/func,view/id,21867/limit,10/limitstart,30/#22665 [^] LDAP details here http://www.zytrax.com/books/ldap/ch6/ppolicy.html#account-unlock [^] Two work arounds 1. disable SMTP authentication and use email only from the trusted networks - but this isn't practical for everyone. 2. use more cryptic / unusual usernames, and then create an alias that points to that user. | ||||||||
Tags | No tags attached. | ||||||||
Attached Files | |||||||||
Notes | |
(0000332) timb80 (developer) 2011-01-26 10:16 edited on: 2011-01-26 10:18 |
The webconfig defaults are here - applied after updating the policy settings in the webconfig /var/webconfig/api/LdapPasswordPolicy.class.php Lines 171 $policy_attributes['pwdLockout'] = 'TRUE'; 172 $policy_attributes['pwdLockoutDuration'] = '0'; 173 $policy_attributes['pwdMaxAge'] = '0'; 174 $policy_attributes['pwdMaxFailure'] = '5'; |
(0000605) user2 2012-12-04 09:43 |
3 things were done to mitigate this problem: 1) the lockout duration was changed to 10 minutes 2) SMTP rules were added to the IDS/IPS system 3) the "Account Lockout" feature can now be enabled/disabled |
Issue History | |||
Date Modified | Username | Field | Change |
2011-01-06 02:13 | timb80 | New Issue | |
2011-01-06 09:54 | user2 | Status | new => confirmed |
2011-01-26 10:16 | timb80 | Note Added: 0000332 | |
2011-01-26 10:18 | timb80 | Note Edited: 0000332 | |
2012-12-04 09:43 | user2 | Note Added: 0000605 | |
2012-12-04 09:43 | user2 | Status | confirmed => resolved |
2012-12-04 09:43 | user2 | Fixed in Version | => 6.3.0 |
2012-12-04 09:43 | user2 | Resolution | open => fixed |
2012-12-04 09:43 | user2 | Assigned To | => user2 |
2012-12-04 09:43 | user2 | Status | resolved => closed |