During testing the ldap server against bruteforce using patator ldap_login, I've figured the tested account gets locked after bypassing the limits of allowed login attempts. Using this tool, an attacker can lock all the accounts in the company, what are the best way to protect against such lockout?
Protecting ldap server against accounts lockout caused by brute-force attacks
2.1k Views Asked by Tom At
1
There are 1 best solutions below
Related Questions in LDAP
- Azure IOT Hub Rest API Unauthorized
- Stream Analytics: Dynamic output path based on message payload
- Iot Hub connection string not working in azure-iot-sdk-c samples
- Azure,Android,Raspberry pi
- Any APIs to get list of consumer groups created in Azure IotHub?
- In queue message count in service bus
- Uploading an image with Azure IoT SDK for Python
- Azure IoT Python SDK how to set content type on uploaded images
- Bi-Directional Communication via IoTHub/Xamarin App/ESP8266
- How to delete all devices from Azure IoT Hub using C#?
Related Questions in BRUTE-FORCE
- Azure IOT Hub Rest API Unauthorized
- Stream Analytics: Dynamic output path based on message payload
- Iot Hub connection string not working in azure-iot-sdk-c samples
- Azure,Android,Raspberry pi
- Any APIs to get list of consumer groups created in Azure IotHub?
- In queue message count in service bus
- Uploading an image with Azure IoT SDK for Python
- Azure IoT Python SDK how to set content type on uploaded images
- Bi-Directional Communication via IoTHub/Xamarin App/ESP8266
- How to delete all devices from Azure IoT Hub using C#?
Related Questions in LOCKOUT
- Azure IOT Hub Rest API Unauthorized
- Stream Analytics: Dynamic output path based on message payload
- Iot Hub connection string not working in azure-iot-sdk-c samples
- Azure,Android,Raspberry pi
- Any APIs to get list of consumer groups created in Azure IotHub?
- In queue message count in service bus
- Uploading an image with Azure IoT SDK for Python
- Azure IoT Python SDK how to set content type on uploaded images
- Bi-Directional Communication via IoTHub/Xamarin App/ESP8266
- How to delete all devices from Azure IoT Hub using C#?
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular # Hahtags
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
If you're asking how you can use such a tool to verify passwords are suitably complex without locking out all of your accounts, clone your directory elsewhere. Set the password policy on the clone directory server to not lock accounts on bad passwords, then run your tool against the clone directory.
If you're asking how you can mitigate against someone else using that type of tool to lock out the entire directory of users ... I'm surprised this attack is not more common -- especially as security requirements like PCI required account lockout so there's a good chance the directory will lock the ID after a fairly small number of bad passwords.
I restrict access to the LDAP directory servers using an OS firewall and, for LDAP servers that provide such function, application level access control. It makes more work for the directory support team because each new application has to get set up to access LDAP, but some random person cannot just run a tool on their desktop and lock out the entire directory. One of the authorized servers could still be used as an attack source, but I can drop access from that IP when an attack is discovered.
Restricting access to the LDAP/LDAPS directory server doesn't stop the random person from using an approved application to send authentication requests (e.g. something like "curl --user username:NotThePassword https://businessapp.domain.gTLD" or POSTing the username/NotThePassword to the right auth URL has an approved server make an LDAP call on my behalf). There are a lot of ways to mitigate this sort of attack:
I've had applications include a cool-down period when they start getting a series of bad passwords -- 6 bad passwords locks the account on the directory side, but the application gives you a ten minute timeout where you cannot try to auth again at 2 or 3 bad passwords in 5 minutes. Or throws a "are you really a human" validation.
You can configure your password policy to lock accounts for X minutes after Y bad passwords. This means an attacker would require a sustained attack against a specific ID to keep it locked out for a significant period of time. While an attacker can lock your entire directory, the impact to users is minimized. The X minute pause makes brute force password attacks quite inefficient and generally gets OK'd from security types.
Having user IDs that are not easily walked in an algorithm helps a little. As an example, I worked for a company where user IDs were a static letter followed by five numbers. Walking the entire namespace of their possible user IDs was trivial, and anyone who worked there knew the ID format. An ID namespace with more possible iterations makes it more difficult to lock out a significant portion of the users (i.e. it takes more time to walk through all possible letter/number combinations that are between three and twenty characters {and a lot of the attack is performed against accounts that do not exists} than it takes to walk the X##### namespace).
Ensure all applications return the same error for invalid username or password too -- if you specify "invalid username" when an ID is not found and "invalid password" when the password fails, an attacker can quickly bypass any IDs that don't exist. By returning "bad username or password", they have to waste time attempting to lock non-existent IDs.
For a larger network, an intrusion detection system (IDS) that includes network traffic and log analysis could be used. But directory server log data can be analyzed through a monitoring platform or custom written scripts. I generate alerts when an abnormal number of lockouts occur -- working for a fairly large company, I see a hundred or so lockouts during normal business hours and one or two in the overnight hours. If we're seeing more than a handful in an overnight hour or a thousand during business hours, the lockout source gets notified to investigate. And if the lockouts start getting particularly excessive, we can make the call to remove the source IP from the directory server access list until the application team can figure out what's going on.