Brian J. Murrell via FreeIPA-users wrote: > I am having intermittent login failures on some of my accounts. One > minute a user will be refused a login attempt but yet wait a bit and > they are able to log in. > > I suspect this is happening due to accounts being temporarily locked by > FreeIPA due to repeated login failures. Unfortunately it seems that > the locking of accounts due to repeated authentication failures is not > logged anywhere, so I can really only just theorize about this. > > I further suspect that the repeated login failures that are locking > accounts are due to public facing services such as SMTP, IMAP, etc. > being brute-force attacked. > > I do use fail2ban to block IP addresses of repeat offenders of password > failures on those (and other, even) services but that doesn't work so > well when the attack is distributed from a bot-net and using hundreds, > if not thousands, if not hundreds-of-thousands of IP addresses to > attack from and so not attempting from the same IP address frequently > enough to trigger fail2ban. > > Surely I must not be the first person to experience this kind of > intermittent failure due to a distributed brute-force password attack. > > I'm wondering how any/everyone else handles this. Do you simply > disable the repeated-failure-account-locking functionality? > > The only (partial-only even) mitigation I can imagine is where > authentication requests to FreeIPA come with some kind of "zone" > information (i.e. the IP address/network/etc.) that an authentication > request is coming from and being able to set different policies for > different zones. At least that way I can have accesses from an > external (i.e. the Internet) zone subject to the account locking > policies, but not have our intranet subject to them (or subject to a > different policy perhaps) so that at least the 95% of our use-cases, > which are on the intranet are not being tripped up by account locking > by external authentication failures. > > But I really doubt such a scheme is even possible. > > So looking for other solutions/suggestions if anyone has any.
It is logged for Kerberos requests. You'd see "Client's credentials have been revoked" It looks like for LDAP bind requests they are not logged at all. I opened an upstream ticket for this, https://pagure.io/freeipa/issue/9742 rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
