GeraldR Regular Contributor.
Regular Contributor.
128 views

protecting your auth-gwia from bad password smtp login attempts / gw-intruder-detection won't work

hi!

how do you guys protect your smtp-auth-gwia (e. g. smtp.your.domain) out in the internet from bad password attacks?

we just realized, that gw-intruder-detection obviously doesn't recognize these bad password attempts as intruders! imap-/pop-/soap-bad-password-attempts are counted as intruders as expected.

the problem is, that these intruders lock down your edir-account (in case you run your gw against ldap, what we do...) ongoing, so the affected users cannot work during such an attack...

only "option" seems to be to disable(!) intruder detection on edir...?!

that's not what we want actually!

tnx, regards! gerald

Labels (2)
0 Likes
5 Replies
Knowledge Partner
Knowledge Partner

Re: protecting your auth-gwia from bad password smtp login attempts / gw-intruder-detection won't wo

Not sure how you are using your gwia...this may not work for you.  But my gwia is not publicly accessible.  My gwia only talks to my spam filter and my spam filter handles all incoming and outgoing email.

--
Ken
Knowledge Partner

Create and vote for enhancements!
https://www.microfocus.com/products/enhancement-request.html
0 Likes
Knowledge Partner
Knowledge Partner

Re: protecting your auth-gwia from bad password smtp login attempts / gw-intruder-detection won't wo


@GeraldR wrote:

hi!

how do you guys protect your smtp-auth-gwia (e. g. smtp.your.domain) out in the internet from bad password attacks?


Hi Gerald,

The simple answer is don't allow SMTP authentication, at least not to your public GWIA. Spammers and hackers will hammer away trying to get in. They may not be able to guess the password but they will consume substantial resources trying.

Every situation is different. What works for one customer may not work for another...

If you have relatively few mobile users who need to use IMAP and need to authenticate to send outgoing email via GWIA, create a second GWIA just for them and use unique 5-digit port numbers that aren't publicized. 

That doesn't fix the problem but the chances are pretty slim that someone will stumble across the correct port numbers. If they can't find your GWIA, they can't impact it.

_____
Kevin Boyle - Knowledge Partner - Calgary, Alberta, Canada
Who are the Knowledge Partners?
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner
Knowledge Partner

Re: protecting your auth-gwia from bad password smtp login attempts / gw-intruder-detection won't wo


@KBOYLE wrote:

@GeraldR wrote:

hi!

how do you guys protect your smtp-auth-gwia (e. g. smtp.your.domain) out in the internet from bad password attacks?


Hi Gerald,

The simple answer is don't allow SMTP authentication, at least not to your public GWIA.


Except that you plain can't disable AUTH in Groupwise, one of the decade old outstanding inexplainable shortcomings in the product.

You *can* disable *relaying* after authenticating, but you can't stop the authentication itself, thus you can't stop the fact that attackers will try (as GWIA will always report it supports AUTH in the greeting), and you also can't stop the attacker from gaining access by brute-forcing passwords, which they can then use e.g at webaccess (yes, that has happened).

In older Groupwise versions (back when we had ConsoleOne) you could deliberatey break the link the GWIA has to the PostOffice, so it couldn't authenticate anymore, but this option is gone (despite still existing in the database) in the gwadmin console. So the only solution there is is a firewall between the GWIA and the post offices to stop the GWIA from accessing the POA port.

Or, of course, add another product in front of GWIA and do not expose it to the internet. In reality, exposing a GWIA to the internet these days is realistically impossible, for this one reason only. Attackers know *exactly* that Groupwise is vulerable to that and will attack it within short time.

CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
Knowledge Partner
Knowledge Partner

Re: protecting your auth-gwia from bad password smtp login attempts / gw-intruder-detection won't wo


@mrosen wrote:
Except that you plain can't disable AUTH in Groupwise, 

Well, I'm embarrassed to admit it but I didn't know that. I had always assumed... but should have known better!

I have used port redirection to protect IMAP but obviously you can't change the SMTP port(s) if you want to continue receiving email. Blacklists should help but they are not a solution.

I'm sure you must have followed up on this in the past. What kind of response did you get?

_____
Kevin Boyle - Knowledge Partner - Calgary, Alberta, Canada
Who are the Knowledge Partners?
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner
Knowledge Partner

Re: protecting your auth-gwia from bad password smtp login attempts / gw-intruder-detection won't wo


@KBOYLE wrote:

@mrosen wrote:
Except that you plain can't disable AUTH in Groupwise, 

Well, I'm embarrassed to admit it but I didn't know that. I had always assumed... but should have known better!

I don't blame you. It *is* unbelievable that it's not possible.

I have used port redirection to protect IMAP but obviously you can't change the SMTP port(s) if you want to continue receiving email. Blacklists should help but they are not a solution.

I'm sure you must have followed up on this in the past. What kind of response did you get?


None. Or to use Gwava/SMG and frontend GWIA with it. So add another product because the one you already have can't be used... No Comment.

CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.