I suggest to implement a big warning for the user:
“Please do not forget to immediately use the new password on your communication devices, especially mail accounts. Otherwise, there is the risk of being excluded from server access by implemented security features if several login attempts are registered with the old password.”
Fail2ban banned users with a changed password and they could not imagine why… big drama…
Yes, by the user himself by using the self service page
A mail client with the old password keeps trying to authenticate.
exactly, after the first shock it was easy to identify from the logs because the Dovecot jail was snapped shut.
Fail2ban detects failed authentication in logs and blocks user’s IP.
User is not able to use server resources.
He was completely excluded.
No doubt Fail2ban is doing its job as it should.
Well, it works as aspected.
Probably the user can be whitelisted for a time period. He might be shown a count down.
A good workflow could be:
User tries to save a changed password.
A warning pops up with the note “Please make sure that you have exchanged the old password for the new one within the next ## minutes on ALL end devices, especially in the mail accounts. Otherwise, there is a risk that the implemented security features will prevent the further use of server functions.”
Dialog to cancel (postpone the change) or confirm.
Information Mail to Admin, that user YXZ changed his password to be aware issues with this account.
best regards, Marko
I think no, we just grep a log faillure, whatever the name of the user. It is exact that we ban the connection to all services. Another approach could be to lock only the network ports used by the service to the remote connection, but I think it is not possible with the shorewall-ipset banaction we use.
I would suggest to change the user’s password either with a VPN or when he uses the LAN of the company.