We have just deployed Expressway MRA for a customer and they are now complaining that it is possible for a hacker to use a Jabber client to lock out their Jabber enabled domain accounts. There concerns are that someone could obtain the usernames from their email addresses and potentially download a Jabber client and attempt to login's to many accounts.
Has anyone had these concerns come up before and has any answers, I undertand SSO would be an option, however im interested if there are any other options?
Expressway includes a feature that can help mitigate an account lock out or brute force password attack. Specifically it's the "HTTP proxy authorization failure" rule under the automated detection configuration.
You can find more details in our admin guide on page 33, under the name automated detection (and sometimes automated intrusion protection).
As we note in the MRA deployment guide, do not enable the “HTTP proxy resource access failure” rule (a similarly worded but different rule). Phones and Jabber clients regularly request files that are not always available (by design), and these failed GET requests can end up triggering this rule (false positive) and blocking access to your end users.
I think the problem is the same with outlook web access, and many other tools.
I think the answer has to be a combination of the expressway automatic detection feature, and a sensible (And aware) account lockout policy within AD.
Automatic detection may be capable of stopping the brute force attacks but the customer has to decide how far they want to go with it (how many bad password attempts are allowed)
We are using SSO and also we are checking daily the Search History and Event Logs to see who is trying to connect to us. We are blocking manually those segments in System/ Protection/Firewall rules/Configuration. Make sure that UDP mode is off under the SIP configuration and add a firewall rule to drop those connections by TCP (Ports 0 to 65535). After that you will see that the call attempts will stop. These are some that we have detected in our system.
Prefix length Rearrange
22.214.171.124 RZ Universitaet Freiburg
126.96.36.199 CLOUD STAR HOSTING SERVICES
188.8.131.52 Abuse-C Role
184.108.40.206 Abuse-C Role
220.127.116.11 Zilvinas Vaickus
18.104.22.168 Internet-Cosmos LLC-Russia
22.214.171.124 Empresa de Telecomunicaciones de Cuba, S.A.
126.96.36.199 Deutsche Telekom Abuse Contact
188.8.131.52 Chad Abizeid-nm@nm
184.108.40.206 Linode Network Operations, PA, USA
220.127.116.11 Sympatico HSE-CA