Blocking legitimate mail users
Forum
For more information on the latest vulnerability (CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091),
please refer to our blog post
  1. Forums
  2. Imunify360
  3. Imunify360 and Imunify Sensor
  1. Mauritz K
  2. Friday, 03 August 2018
  3.  Subscribe via email
We have a huge issue with Imunify blocking legitimate users.

For example,

There is an office with 10 people.
1 user is entering a password incorrectly, triggering:

Dovecot Invalid User Login Attempt.
Exim Auth failed
Dovecot brute force attack (multiple auth failures).

This 1 user then gets the entire office IP blocked and 9 other people can't get their mail.

cPHulk will actually block only the 1 offending mail user.

How can we solve this?
Rate this post:
  1. 03.08.2018 12:08:04
  2. # 1
Posts: 187
Joined: 31.01.2017
0
Votes
Undo
Hi Mauritz,

We are going to resolve this issue in our advanced bruteforce protection module (internal task id DEF-4079). Meanwhile, you can add the IP address into Imunify360 whitelist so no blocking will occur for it going forward.
  1. 03.08.2018 13:08:23
  2. # 2
Mauritz K Accepted Answer
Posts: 3
Joined: 03.08.2018
0
Votes
Undo
Hi,

When is the Advanced Bruteforce Module scheduled for release? I know you can't say exactly, but are we talking days, weeks or months from now?
  1. 03.08.2018 14:08:07
  2. # 3
Posts: 187
Joined: 31.01.2017
0
Votes
Undo
Current ETA is Q4'2018
  1. 04.08.2018 06:08:08
  2. # 4
Mauritz K Accepted Answer
Posts: 3
Joined: 03.08.2018
0
Votes
Undo
Thank you.

In the meantime, can we disable the rules being triggered and enable cPhulk until Q3 ?
  1. 05.08.2018 20:08:32
  2. # 5
Posts: 187
Joined: 31.01.2017
0
Votes
Undo
Yes, just re-enable cPHulk and it will make Imunify360 disable ossec IDS.
  1. 28.11.2018 13:11:40
  2. # 6
Mauritz Accepted Answer
Do we know if this has been implemented in 3.8.x already?

This issue is killing us.
  1. 28.11.2018 14:11:44
  2. # 7
Posts: 187
Joined: 31.01.2017
0
Votes
Undo
Mauritz,

No, it is not there in 3.8.x. Please, re-enable cPHulk if your are sure it is Imunify360 IDS (ossec) that causing the issue.
  1. 13.02.2019 14:02:08
  2. # 8
Mauritz K Accepted Answer
Posts: 3
Joined: 03.08.2018
0
Votes
Undo
Hi,

Q4, 2018 has come and gone.

Is this still going to be implemented at some point?
  1. 18.02.2019 20:02:50
  2. # 9
Posts: 187
Joined: 31.01.2017
0
Votes
Undo
This might be implemented (no confirmed ETA as of now) as part of mail protocols' captcha - users will receive a custom response in their email agents with instructions how to unblock their IP. Another workaround can be to point a browser from an office IP to any http(s) website on the server and pass Imunify360 captcha - the office IP address will be added to Imunify360 whitelist upon that.
  1. 29.04.2019 22:04:03
  2. # 10
John Accepted Answer
Posts: 0
Joined: 22.05.2019
0
Votes
Undo
when?

this is a serious problem that needs to get fixed.

only way right now is to set ossec custom settings to crazy values like 60 attempts in 10 min.
  1. 30.04.2019 16:04:16
  2. # 11
John Accepted Answer
Posts: 0
Joined: 22.05.2019
0
Votes
Undo
you guys are over complicating this....

if there is more then X (2 to 5) users behind an IP authenticating correctly then whitelist that IP for 30 min with the counter resting on next good auth.

your software needs to stop blocking office of 200 people when one person has a bad password in there mail client.

this is a CRITICAL problem with your software, and needs attention ASAP.

I strongly suggest some effort is put into fixing this and less time put into features like multi server dashboard.

Thanks
  1. 30.04.2019 17:04:19
  2. # 12
Linuc Accepted Answer
Agree, this is still a nightmare for us as well. Running 30 servers with IM360 but have to disable exim and dovecot rules from ossec so that cPHulk can manage those properly, on a per-user basis instead of blocking the IP.

Sad but true.
  1. 01.05.2019 19:05:35
  2. # 13
Greg Zemskov Accepted Answer
Posts: 19
Joined: 16.11.2018
0
Votes
Undo
Hi, we're looking into the issue at the moment.
  1. 07.05.2019 10:05:11
  2. # 14
Mauritz K Accepted Answer
Hi,

Any updates on this issue?
  1. 07.05.2019 10:05:31
  2. # 15
Greg Zemskov Accepted Answer
Posts: 19
Joined: 16.11.2018
0
Votes
Undo
Hi Mauritz, we will change the way Imunify360 processes those login failures (will whitelist IPs) and enable cpHulk back.
  1. 07.05.2019 16:05:35
  2. # 16
John Shielsl Accepted Answer
Posts: 0
Joined: 22.05.2019
0
Votes
Undo
when?

this issue was reported months ago. instead of fixing it dev time has been put into cosmetic changes and new features. can we spend some time to get these bugs fixed pleased?
  1. 12.05.2019 15:05:53
  2. # 17
Mauritz Accepted Answer
From CL official account, I would like to know:

1. I understand that your software will change the way the rules are processed, BUT
2. Are you suggesting that your software will re-enable cPhulk to deal with this on a per-user basis?

Sounds like a quick workaround, rather than a professional solution.
  1. 13.05.2019 13:05:35
  2. # 18
Greg Zemskov Accepted Answer
Posts: 19
Joined: 16.11.2018
0
Votes
Undo
Hi Mauritz,
we're reworking the blocking approach at the moment, but as you correctly notice, a quick workaround is to enable cpHulk as it's managing on per-user basis. But this is not the only fix we're going to introduce regarding the issue. Thanks!
  1. 13.05.2019 17:05:12
  2. # 19
John Shiells Accepted Answer
Posts: 0
Joined: 22.05.2019
0
Votes
Undo
ok, so what us, we use plesk, when is our fix coming...
  1. 22.05.2019 07:05:23
  2. # 20
Sergey Accepted Answer
Posts: 1
Joined: 20.05.2019
0
Votes
Undo
Hi John,
This is a hard problem, we are working on it - but we have no ETA right now on when it will be solved.
Thanks!
  • Page :
  • 1


There are no replies made for this post yet.
Be one of the first to reply to this post!
Guest
Submit Your Response
Upload files or images for this discussion by clicking on the upload button below. Supports gif,jpg,png,zip,rar,pdf
• Insert • Remove Upload Files (Maximum File Size: 2 MB)
Captcha
To protect the site from bots and unauthorized scripts, we require that you enter the captcha codes below before posting your question.