We have just deployed Expressway MRA for a customer and they are now complaining that it is possible for a hacker to use a Jabber client to lock out their Jabber enabled domain accounts. There concerns are that someone could obtain the usernames from their email addresses and potentially download a Jabber client and attempt to login's to many accounts.
Has anyone had these concerns come up before and has any answers, I undertand SSO would be an option, however im interested if there are any other options?
Expressway includes a feature that can help mitigate an account lock out or brute force password attack. Specifically it's the "HTTP proxy authorization failure" rule under the automated detection configuration.
You can find more details in our admin guide on page 33, under the name automated detection (and sometimes automated intrusion protection).
As we note in the MRA deployment guide, do not enable the “HTTP proxy resource access failure” rule (a similarly worded but different rule). Phones and Jabber clients regularly request files that are not always available (by design), and these failed GET requests can end up triggering this rule (false positive) and blocking access to your end users.
I think the problem is the same with outlook web access, and many other tools.
I think the answer has to be a combination of the expressway automatic detection feature, and a sensible (And aware) account lockout policy within AD.
Automatic detection may be capable of stopping the brute force attacks but the customer has to decide how far they want to go with it (how many bad password attempts are allowed)
We are using SSO and also we are checking daily the Search History and Event Logs to see who is trying to connect to us. We are blocking manually those segments in System/ Protection/Firewall rules/Configuration. Make sure that UDP mode is off under the SIP configuration and add a firewall rule to drop those connections by TCP (Ports 0 to 65535). After that you will see that the call attempts will stop. These are some that we have detected in our system.
Prefix length Rearrange
126.96.36.199 RZ Universitaet Freiburg
188.8.131.52 CLOUD STAR HOSTING SERVICES
184.108.40.206 Abuse-C Role
220.127.116.11 Abuse-C Role
18.104.22.168 Zilvinas Vaickus
22.214.171.124 Internet-Cosmos LLC-Russia
126.96.36.199 Empresa de Telecomunicaciones de Cuba, S.A.
188.8.131.52 Deutsche Telekom Abuse Contact
184.108.40.206 Chad Abizeid-nm@nm
220.127.116.11 Linode Network Operations, PA, USA
18.104.22.168 Sympatico HSE-CA