Global Bot / Script Kiddie / Brute Force IP Blacklist
Sophos should maintain a blacklist of Bots / Script Kiddies / Brute Force attackers based on big data of failed logins on UTM's.
Problem to solve:
There are lot of (often automated) login attempts to the different publicly available UTM facilities as SMTP (authenticated relaying), User Portal, Webadmin, SSH, Reverse Proxy. On my UTM I have for example since weeks a ongoing brute force attacks on the smtp proxy, as authenticated relaying is allowed on it. Blocking those bots after 5 attempts helps only marginal, as they automatically switch to other bots (new IP) and continue the brute force attack. I collected in the meanwhile hundreds of IP addresses from where the attacks originated.
UTM customers should be able to opt-in by choice in a kind of Sophos maintained "Bot / Script Kiddie / Brute Force IP Blacklist", which is populated with source IP's of failed logins on public facing UTM facilities as Webadmin, User Portal, SMTP, SSH etc.
The Sophos maintained blacklist should check this colected data for source IP's, which produces failed logins on >n different UTM's within a timeframe x, and blacklist such clients. This could be maintained in a RBL style, which should be made available in the UTM facilities to block connections from such known bad behaving clients.
All the informations required to populate such a blacklist is available in the aua.log. I attached some sample loglines:
2014:01:24-10:17:00 asg01 aua: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="x.x.x.x" user="monitor" caller="smtp" reason="DENIED"
2014:01:24-22:36:30 asg01 aua: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="x.x.x.x" user="monitor" caller="webadmin" reason="DENIED"
2014:01:24-22:36:49 asg01 aua: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="x.x.x.x" user="monitor" caller="portal" reason="DENIED"
2014:01:24-22:32:18 asg01 aua: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="x.x.x.x" user="monitor" caller="sshd" reason="DENIED"
BTW: Maybe such collected real world attackers data also may be helpful for the ATP feature introduced in UTM 9.2 (as if a UTM customer IP appears in this blacklist, he could get a notification from his UTM, that something may be wrong in his network, because he got backlisted) and other databases with malicious sources maintained @Sophos Labs ?
there's already something similar asking for dsheild integration..:)
Sascha Paris commented
Shouldn't be that much impact. If it's solved like the country blocking feature, this are ipset's in iptables, whic runs quit performant (to completely block such bad bahaving clients), or why not implementing a RBL style solution for each facility supporting logins as SMTP Proxy, Webadmin, User Portal, SSH etc. and simply doing a short RBL lookup during connection attempt as in the spamfilter too ;o) As you usually don't have hundreds of logings to a facility per minute, this could be a nice way too.
However, performance is in this way my smallest concern. It's a nice way to also collect IP's of potential bots/zombies (btw: the above mentioned brute force attack to my smtp proxy is still ongoing - lowered allowed login attempts until block from 5 to 3 in the meanwhile;o)
Marcos Machado commented
I'm wondering the size this blacklist would get... Don't know how it will impact performance on a high demanding system.
Sascha Paris commented
Arr - just found little later a already existing, older feature request from a "john" which already collected a nice number of votes over the years. While both requests have lot of similarities in the general idea, my approach goes more in the direction, that Sophos generates a own blacklist based on data of failed UTM logins (and maybe in the future additional sources), the older request from john relates on external 3rd party blacklists ( http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/1982075-network-security-block-malicious-botnet-bad-ip-s- )
I see both methods as a good way to strengten the UTM security level, but I like my Sophos maintained blacklist approach, because it will base on data of ongoing real world attacks to UTM customers instead third party maintained blacklists.