Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 3 subscribers
  • Views 3187 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DOS/DDOS attack vulnerability for domain users when AD+RADIUS authentication is enabled

asc_

Hey everyone,

today a colleague pointed out, that random domain users could be locked out of our domain by simply trying to authenticate with an invalid username/password combination against SSL VPN for two times. After analyzing this I found that in our setup, the login process queries both of our RADIUS servers and, after that, all domain controllers with the wrong credentials. Doing this twice effectively means six queries against the AD. And because we lock a user account after five tries, the account is then locked out. Guessing domain account names is pretty easy.

The user authentication daemon log file then looks something like this:

srcip="Z.Y.X.W" host="" user="test" caller="openvpn" reason="DENIED"
2016:08:11-12:14:15 m-2 aua[5762]: id="3006" severity="info" sys="System" sub="auth" name="Trying X.Y.Z.A (radius)"
2016:08:11-12:14:15 m-2 aua[5762]: id="3006" severity="info" sys="System" sub="auth" name="Trying  A.B.C.D (radius)"
2016:08:11-12:14:15 m-2 aua[5762]: id="3006" severity="info" sys="System" sub="auth" name="Trying  B.C.D.E (adirectory)"
2016:08:11-12:14:15 m-2 aua[5762]: id="3006" severity="info" sys="System" sub="auth" name="Trying  C.D.E.F (adirectory)"
2016:08:11-12:14:15 m-2 aua[5762]: id="3006" severity="info" sys="System" sub="auth" name="Trying  D.E.F.G (adirectory)"
2016:08:11-12:14:15 m-2 aua[5762]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="Z.Y.X.W" host="" user="test" caller="openvpn" reason="DENIED"
srcip="Z.Y.X.W" host="" user="test" caller="openvpn" reason="DENIED"
2016:08:11-12:14:17 m-2 aua[5762]: id="3006" severity="info" sys="System" sub="auth" name="Trying X.Y.Z.A (radius)"
2016:08:11-12:14:17 m-2 aua[5762]: id="3006" severity="info" sys="System" sub="auth" name="Trying  A.B.C.D (radius)"
2016:08:11-12:14:17 m-2 aua[5762]: id="3006" severity="info" sys="System" sub="auth" name="Trying  B.C.D.E (adirectory)"
2016:08:11-12:14:17 m-2 aua[5762]: id="3006" severity="info" sys="System" sub="auth" name="Trying  C.D.E.F (adirectory)"
2016:08:11-12:14:17 m-2 aua[5762]: id="3006" severity="info" sys="System" sub="auth" name="Trying  D.E.F.G (adirectory)"
2016:08:11-12:14:17 m-2 aua[5762]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="Z.Y.X.W" host="" user="test" caller="openvpn" reason="DENIED"

I understand, that there might be different backend systems, that all have different user databases and need to be queried, but in our case, these DC servers are just listed in the Authentication Servers tab for redundancy.

Is there anything I can do, to prevent this behaviour? I need both DCs and RADIUS servers for authentication. WebAdmin login is authorized against AD and SSL VPN is checked against RADIUS (OTP and PIN).

Any ideas are welcome.

Thanks

asc



This thread was automatically locked due to age.
  • 0

    I don't claim to have a lot of Windows Server Fu, but I'm certain that you can achieve AD redundancy in the way your AD is configured and that you should not need all three configured.  At the very least, instead of having five separate Servers, create Availability Groups for AD and RADIUS and use those in a total of two Servers in WebAdmin.  Does that help?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML