Do you recognize a good idea when you see one? We want to hear from you!
Header Image

I suggest you ...

Global Bot / Script Kiddie / Brute Force IP Blacklist

Sophos should maintain a blacklist of Bots / Script Kiddies / Brute Force attackers based on big data of failed logins on UTM's.

Problem to solve:
There are lot of (often automated) login attempts to the different publicly available UTM facilities as SMTP (authenticated relaying), User Portal, Webadmin, SSH, Reverse Proxy. On my UTM I have for example since weeks a ongoing brute force attacks on the smtp proxy, as authenticated relaying is allowed on it. Blocking those bots after 5 attempts helps only marginal, as they automatically switch to other bots (new IP) and continue the brute force attack. I collected in the meanwhile hundreds of IP addresses from where the attacks originated.

Idea:
UTM customers should be able to opt-in by choice in a kind of Sophos maintained "Bot / Script Kiddie / Brute Force IP Blacklist", which is populated with source IP's of failed logins on public facing UTM facilities as Webadmin, User Portal, SMTP, SSH etc.

The Sophos maintained blacklist should check this colected data for source IP's, which produces failed logins on >n different UTM's within a timeframe x, and blacklist such clients. This could be maintained in a RBL style, which should be made available in the UTM facilities to block connections from such known bad behaving clients.

All the informations required to populate such a blacklist is available in the aua.log. I attached some sample loglines:

aua.log

2014:01:24-10:17:00 asg01 aua[27407]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="x.x.x.x" user="monitor" caller="smtp" reason="DENIED"

2014:01:24-22:36:30 asg01 aua[31072]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="x.x.x.x" user="monitor" caller="webadmin" reason="DENIED"

2014:01:24-22:36:49 asg01 aua[31126]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="x.x.x.x" user="monitor" caller="portal" reason="DENIED"

2014:01:24-22:32:18 asg01 aua[30268]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="x.x.x.x" user="monitor" caller="sshd" reason="DENIED"

BTW: Maybe such collected real world attackers data also may be helpful for the ATP feature introduced in UTM 9.2 (as if a UTM customer IP appears in this blacklist, he could get a notification from his UTM, that something may be wrong in his network, because he got backlisted) and other databases with malicious sources maintained @Sophos Labs ?

23 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Sascha ParisSascha Paris shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    4 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • Sascha ParisSascha Paris commented  ·   ·  Flag as inappropriate

        Hello Marcos

        Shouldn't be that much impact. If it's solved like the country blocking feature, this are ipset's in iptables, whic runs quit performant (to completely block such bad bahaving clients), or why not implementing a RBL style solution for each facility supporting logins as SMTP Proxy, Webadmin, User Portal, SSH etc. and simply doing a short RBL lookup during connection attempt as in the spamfilter too ;o) As you usually don't have hundreds of logings to a facility per minute, this could be a nice way too.

        However, performance is in this way my smallest concern. It's a nice way to also collect IP's of potential bots/zombies (btw: the above mentioned brute force attack to my smtp proxy is still ongoing - lowered allowed login attempts until block from 5 to 3 in the meanwhile;o)

      • Marcos MachadoMarcos Machado commented  ·   ·  Flag as inappropriate

        I'm wondering the size this blacklist would get... Don't know how it will impact performance on a high demanding system.

      • Sascha ParisSascha Paris commented  ·   ·  Flag as inappropriate

        Arr - just found little later a already existing, older feature request from a "john" which already collected a nice number of votes over the years. While both requests have lot of similarities in the general idea, my approach goes more in the direction, that Sophos generates a own blacklist based on data of failed UTM logins (and maybe in the future additional sources), the older request from john relates on external 3rd party blacklists ( http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/1982075-network-security-block-malicious-botnet-bad-ip-s- )

        I see both methods as a good way to strengten the UTM security level, but I like my Sophos maintained blacklist approach, because it will base on data of ongoing real world attacks to UTM customers instead third party maintained blacklists.

      Feedback and Knowledge Base