On Wed, 22 Apr 2020, Johannes Rohr wrote:
It is a pity that the IMAP protocol does not support 2 factor authentication, which seems to stop 90% of intrusion attempts in their tracks.
You could use VPN, which can enforce 2FA.
You can hack 2FA into IMAP or any protocol where you can control the backend authenticator. It's easier with time-based OTP (TOTP) token generators. Authenticate using the usual username and the concatenation of (user-password)(otp-token), then invalidate the opt-token to foil replay-attacks.
The backend will have to split the credentials into individual factors that can be checked separately.
Is there a reasonable way of detecting and preventing logins from unusual IP ranges? Or are there other strategies you would recommend?
Start by defining "unusual". Once you have a characterization of unusual, implement the detection. For example,
- more than <n> failures?
- attempt to authenticate to non-existent generic accounts e.g. "root"?
- weird time of day?
- authentication from implausible geographic regions? (e.g. Chad)?
- logins from mutiple geolocation in short time frames?As the saying goes regarding the value of prevention vs cure, enforce good security habits for your users: password strength, endpoint malware protection, skepticism, etc.
Joseph Tam jtam.home@gmail.com