Brute-Force and Password Guessing Prevention

Protecting sensitive data published on the web via username and password authentication is not secure enough. Browser clients and so called "Password Recovery Tools", i.e. brute force tools, can endlessly attempt to log onto a Domino Server. Retrieving a user's password is just a matter of patience, or using brute force programs, just a matter of time. Domino does not offer any protection against brute force attacks whatsoever. HTTPS will not help. The options "more secure passwords" or "less name variations" will not help either.

Screenshot: Typical "Passwort Recovery", i.e. Brute Force Tool

Brute Force Attacks
The threat of brute force attacks is very real. There are lots of free allegedly "Password Recovery" tools or tools that help administrators detect security holes. These programs can be used in the internet or in the intranet alike.

Programm description:

"With just a few clicks of the mouse, the program tests the security and robustness of Internet servers, via remote brute-force attack. Designed for the novice to intermediate-level user with little experience in security applications, the program is extremely easy to use. It is also fast and flexible enough for site administrators and security professionals.
Features include:
  • Internal word generator with character set selection
  • Supports all major wordlist formats
  • Coordinates attacks across multiple machines
  • Supports HTTP proxy servers
  • Track attack history in easy-to-read logs
  • Automatic save and filtering functions
  • Much, much more!"
Excerpts from another feature list
  • "Testing of websites that use basic authentication, html-form based logins or single pass protection schemes (AVS)
  • Running up to 100 bots
  • Proxy- and SOCKS-proxy support and proxy rotation
  • Wordlist support for all wordlist formats
  • advanced and customizable on-the-fly wordlist manipulations
  • Wordlist tools such as duplicates remover, passleecher and list queue
  • Advanced, customizable and fast security test tools
  • Autopilot"

Intrusion Prevention
SecureDomino supplies an additional security to Domino servers with activated HTTP task through limiting the number of failed login attempts. After the defined number of unsuccessful login attempts, SecureDomino blocks the hacker's IP-address and / or the user name and logs that information in a data base. SecureDomino is much more, than a simple "3 strikes out" solution. It is completly configurable, informs the administrator about the hack attempt and displays optionally an error page. SecureDomino works even with strong http-password encryption and LDAP-directories. An automatic logout can also be provided for basic authentication.

With SecureDomino, Domino servers can be utilized in environments that would be either to risky without additional protection or may require X509 certificates, intensive administration and expensive add-ons.

Screenshot: Intrusion Log
Screenshot: Intrusion Log

SecureDomino Configuration
Configuration is done easily with a database, where you can define:
  • the databases or directories to be monitored,
  • the amount of unsuccessful login attempts per account,
  • the amount of unsuccessful login attempts per ip-address,
  • the automatic unblocking time
  • the error page viewed by a blocked user,
  • the names of the administrators to be informed

Screenshot: Intrusion Prevention Configuration
Screenshot: Intrusion Prevention Configuration
Error page
Once the the defined threshold of failed login attempts has been reached, an error page can be displayed informing the user that the user / the IP-address has been blocked. Of course the page can be customized and may e.g. contain advice to call helpdesk.

Screenshot: Informing user about his locked account

Password Reset
Optionally, the page can contain a link to request a new password. The new password could be retrieved by the user through Lotus Notes or a Blackberry and subsequently be used to authenticate without having to bother the IT support.

Denial-of-service attacks
A Domino server can be heavily loaded through a brute force attack, the response time quickly rises to several minutes. With SecureDomino, attackers will be logged
out, and Domino servers will perform normally. SecureDomino can be configured to unblock the IP -address and / or the username after a predefined time.