Let LFD detect and block consequent login failures over long periods (slow brute forces)

2 posts Page 1 of 1
Oxilion
Junior Member
Posts: 1
Joined: 09 Feb 2018, 13:42


Dear ConfigServer team,

We're using CSF + LFD on many servers, with great effect ;)

One thing that could be improved in my opinion, is the detection and blocking of slow brute-force attackers, i.e. logins with long intermittent pauses, but continuing over long periods of time.

We know the effectiveness of detection of burst attacks, when more than LF_[application] login failures occur within LF_INTERVAL.

However, we've seen that some attackers have moved away from bursting login-attempts, to do a more gradual approach, trying a few logins, then waiting several minutes before trying again. This prevents triggering the LF_application triggers, but still presents a security risk, since the total number of attempts stacks up over months and years without detection and intervention.

So we would like to propose an additional detection mechanism:

If any IP address continuously fails to login, without ever logging in successfully, block this IP permanently when a sufficiently high number of consequently failed logins have been detected (say, 100 or any other relatively large number), regardless of the LF_INTERVAL setting.

If, however, a successful login is detected from that IP, reset the failed login counter to 0.

The idea is that we do not want to block genuine users who are having problems with their login credentials, but the premise is that these users will not try to continue their failed logins and contact their service provider after maybe 10 or 20 failed attempts. Once a successful login has been detected, the user is safe since the failed login counter is reset.

This will (hopefully) affect malicious actors, who try to sneakily attempt logins slowly to circumvent the regular LFD triggers.

Hoping you will consider this as a feature,

With kind regards

Hindrik Deelstra
Oxilion B.V.
marcele
Junior Member
Posts: 181
Joined: 17 Sep 2007, 17:02


Good idea. I've also seen an increase in these slow brute force attempts.
2 posts Page 1 of 1