question about brute force attacks

lucas.castro_ironport · ‎09-08-2006

How does ironport deals with brute force attacks on ssh and https?
There is some kind of control?

If someone leaves ironport's 22 and 443 ports "open" to the internet, it would be a problem if ironport does not control number of invalid logins attempts...

lucas.castro_ironport · ‎09-11-2006

no one knows? or do you just dont think that it's a point?

kisanak_ironport · ‎09-15-2006


If someone leaves ironport's 22 and 443 ports "open" to the internet, it would be a problem if ironport does not control number of invalid logins attempts...

IMHO, it is better if IronPort could have this feature, iptables-like or firewall-like that secure port 22 or 443 port.

Somehow, if our dedicated firewall broken, our router ACL broken, then the firewall on the appliances is a must have :)

Donald Nash · ‎09-18-2006

IMHO, it is better if IronPort could have this feature, iptables-like or firewall-like that secure port 22 or 443 port.

AsyncOS is just FreeBSD under the hood, and FreeBSD has ipfw. So the foundation is there (assuming they haven't modified the FreeBSD kernel they use to remove it), they just need to expose an interface to it.

lucas.castro_ironport · ‎09-19-2006

ok. here is the deal: someway internet crawlers are indexing many ironports with HTTPS wide open to the net... Actually i've seen some guy at defcon14 talking about how to use google to find targets without been flagged, and i was wondering if i could do this to find ironports... Bingo.

so, i think we need to spend sometime discussing this issue, that is not a huge issue, but i keep telling, someone might have been troubles with this, specially when they don't update AsyncOS (in fact, this is the case!)

i would recommend you to readding Robots Exclusion Protocol

this probably contains our solution...

Donald Nash · ‎09-19-2006

i would recommend you to readding Robots Exclusion Protocol

this probably contains our solution...

The REP is great for crawlers which obey it, and would certainly limit the black hats' ability to find IronPort MGAs via Google. But it wouldn't stop a black hat crawler. You need a firewall of some sort for that, which gets us back to the beginning of this thread.

lucas.castro_ironport · ‎09-29-2006

uhm, i think it would be against Ironport Systems main purpose, that is to keep the appliances doing only its jobs. If you give a firewall, ppl will be able to use ironport to another tasks beyond MT task, and i think it's not wise...

But just in case, do you guys really think ironportnation's forums have enough spot to this kind of discuss? hehe

Donald Nash · ‎09-29-2006

uhm, i think it would be against Ironport Systems main purpose, that is to keep the appliances doing only its jobs. If you give a firewall, ppl will be able to use ironport to another tasks beyond MT task, and i think it's not wise...

I'm not talking about using it as a firewall to protect other systems. I'm talking about it having a built-in software firewall for protecting itself.

But just in case, do you guys really think ironportnation's forums have enough spot to this kind of discuss?

You're the one who started this thread. If you don't think this is an appropriate place for it then why did you start it?

lucas.castro_ironport · ‎10-02-2006

uhm, i think it would be against Ironport Systems main purpose, that is to keep the appliances doing only its jobs. If you give a firewall, ppl will be able to use ironport to another tasks beyond MT task, and i think it's not wise...

I'm not talking about using it as a firewall to protect other systems. I'm talking about it having a built-in software firewall for protecting itself.

Ok, i understand what you say, but i cannot see the major usefulness of the built-in fw. If you really want your system to be safe, just dont run the stuff. Keep ssh and https disabled on the public interface.

On the begining, i was concerned about ppl that leaves the ssh and https ports opened to the net. And when i say opened, i reaaly mean without fw.

I think we are missing the spot.


But just in case, do you guys really think ironportnation's forums have enough spot to this kind of discuss?

You're the one who started this thread. If you don't think this is an appropriate place for it then why did you start it?

Ok, what i'm trying to say, is that, in my (silly) opinion, ironportnation's forums should be more visited, more commented. I dont see the ironport's legion here. Many ppl just sign in and almost never log in.

But who cares with my opinion? so let's not discuss it, let's forget it.

I keep thinking that 'Robot Exclusion Protocol' should be considered.
If you don't agree, check it out

another tip, the crawler is indexing the 'login help' page.

Donald Nash · ‎10-03-2006

If you really want your system to be safe, just dont run the stuff. Keep ssh and https disabled on the public interface.

It's not always that easy. In our setup, for example, if ssh and https were not enabled on the public interfaces then I couldn't manage the units at all.

I use the FreeBSD ipfw to great effect on other systems. It has absolutely eliminated the routine ssh "door knob rattling" that we used to see in our logs.

lucas.castro_ironport · ‎10-07-2006

If you really want your system to be safe, just dont run the stuff. Keep ssh and https disabled on the public interface.

It's not always that easy. In our setup, for example, if ssh and https were not enabled on the public interfaces then I couldn't manage the units at all.

I use the FreeBSD ipfw to great effect on other systems. It has absolutely eliminated the routine ssh "door knob rattling" that we used to see in our logs.

ok, now i've seen your point.

So if we have access to some feat where we can choose the ip's with permission to connect on the appliance through the https and ssh, like the private relay permission, i really think that would solve the issues and would keep things simple.

what do you think?

Donald Nash · ‎10-07-2006

So if we have access to some feat where we can choose the ip's with permission to connect on the appliance through the https and ssh, like the private relay permission, i really think that would solve the issues and would keep things simple.

Yes, that's exactly what I had in mind. And like I said before, AsyncOS is based on FreeBSD, and FreeBSD includes ipfw, which does exactly this. All they'd need to do is expose an interface to it.

lucas.castro_ironport · ‎10-07-2006

So if we have access to some feat where we can choose the ip's with permission to connect on the appliance through the https and ssh, like the private relay permission, i really think that would solve the issues and would keep things simple. 

Yes, that's exactly what I had in mind. And like I said before, AsyncOS is based on FreeBSD, and FreeBSD includes ipfw, which does exactly this. All they'd need to do is expose an interface to it.

it would spare you from configuring many firewalls to keep your appliances safe, wouldn't?

i am not used to take care of more than one appliance, so on the beginning i was confused, but now i can understand it :-)