Fail2ban banned users with a changed password

Support
1

Hi Giacomo
I suggest to implement a big warning for the user:
“Please do not forget to immediately use the new password on your communication devices, especially mail accounts. Otherwise, there is the risk of being excluded from server access by implemented security features if several login attempts are registered with the old password.”

Background:
Fail2ban banned users with a changed password and they could not imagine why… big drama…
Sincerely, MArko

2

Hi, Marko. Moved your post to a new thread. It would be interesting to know more details about the case (in fact, another user suggested this shall be thoroughly explained and examined).

Is it like this?

  1. A user password was changed (by the user, by the admin or by any other means).
  2. A mail client with the old password keeps trying to authenticate.
  3. Fail2ban detects failed authentication in logs and blocks user’s IP.
  4. User is not able to use server resources.

No doubt Fail2ban is doing its job as it should.

1 Like
3

I had myself the same issue, I changed a password to a stronger one for a user…this was the mistake…the user even aware has been banned by thunderbird after by nextcloud etc etc

A good time :slight_smile:

At this time we just had recidive, but now with the incremental bantime, if you set a short moment like one minute, the user can be out of jail fast

4

Yes, by the user himself by using the self service page

  1. A mail client with the old password keeps trying to authenticate.

exactly, after the first shock it was easy to identify from the logs because the Dovecot jail was snapped shut.

  1. Fail2ban detects failed authentication in logs and blocks user’s IP.
    Immediately
  1. User is not able to use server resources.

He was completely excluded.

No doubt Fail2ban is doing its job as it should.

Well, it works as aspected. :slight_smile:

Probably the user can be whitelisted for a time period. He might be shown a count down.

A good workflow could be:

  1. User tries to save a changed password.
  2. A warning pops up with the note “Please make sure that you have exchanged the old password for the new one within the next ## minutes on ALL end devices, especially in the mail accounts. Otherwise, there is a risk that the implemented security features will prevent the further use of server functions.”
  3. Dialog to cancel (postpone the change) or confirm.
  4. Information Mail to Admin, that user YXZ changed his password to be aware issues with this account.
    best regards, Marko
5

Question is: is there any way to warn Fail2ban that the user has recently change the password for create some “grace time”?

Is there any kind of chance that some MITM attack could sweep the data for refining a brute-force attack?

6

I think no, we just grep a log faillure, whatever the name of the user. It is exact that we ban the connection to all services. Another approach could be to lock only the network ports used by the service to the remote connection, but I think it is not possible with the shorewall-ipset banaction we use.

I would suggest to change the user’s password either with a VPN or when he uses the LAN of the company.

1 Like
7

This reminded me that discussion :

I just changed my apple iCloud password and was really astonished that the my heap of iDevices all took care of the password change without even a hiccup. It looks like the server is propagating the password change to the clients.

Of course there is also an option to let all clients disconnect in cad the password was compromised.

That’s the way things should work…

Matthieu G. (en mode mobile)

1 Like