Securing Domino Protocols against Brute Force Attacks

Since years i think that the Internet Lockout Feature of IBM Domino is not enough. The function is documented here: IBM Domino Administrator Help

Cite of this document:

There are some usage restrictions for Internet password lockout: You can only use Internet password lockout with Web access. Other Internet protocols and services, such as LDAP, POP, IMAP, DIIOP, IBM® Lotus® Quickr®, and IBM Sametime® are not currently supported. However, Internet password lockout can be used for Web access if the password that is used for authentication is stored on an LDAP server

So documentation tells us, that only HTTP can be secured through inetlockout.nsf and over years the documentation was right. So protocols like LDAP, SMTP or POP3 are prone to dictionary attacks.

Last week at a customer site i can’t login into IBM Connections, even with the right spelled password. After checking the Domino server i found that the user has an entry in the inetlockout.nsf database. That was the first time that i had this behavior, Domino server was version 8.5.3.

Today i had some spare time and checked the other protocols of my demo server for my AdminCamp sessions next week.

So i secured SMTP, POP3 and IMAP for authentication and started to use the wrong password for login and i tried to test wrong passwords on LDAP authenticated Sametime and Connections. What should i say? I was lockedout through all protocols! Martin Leyrer points me to following technote, where the feature is mentioned to secure SMTP against brute force. That’s the only document i can find where the extended inetlockout is mentioned or documented. lockout

I don’t know how many of my customers or friends asks for this feature, but we talked often about this. That’s a feature we asked long time and which is really important for all deployments of Domino with internet access. Now all important protocols are save against brute force or dictionary attacks.

So great news, but the documentation must be updated and the feature must be officially announced.

Why?

  1. It is a really important security feature
  2. If you use already inetlockout for http and you update your Domino server, the feature is active without any additional work! Good for security, but your helpdesk team could be a little bit surprised.

Which Domino version first had this code icluded?

When you want to know how to deploy the lockout feature, please read documentation and this technote.

Update:

I got a mail that with 8.5.3 FP6 only SMTP and LDAP are working with inetlockout. I can’t test this in the moment, but with 9.0.1 pop3 and imap are secured too. Need to test this back with lower version and diiop.

nginx

You can use nginx as a reverse proxy for mail protocols. So this is a way to add SHA256 enabled certifiers in front of your domino servers.

My next ICS events

So my vacation is finished, i enjoyed 13 lovely rainy days in bavaria and see forward to my next travels. Hope to get some sun at ICON UK in London next week.

I will speak with Sharon about Tips and Scripts for your daily business our session we made for Connect 2014 and which is updated for IBM Connections 5 now.

Admincamp will be at 29th september to 1st october in Gelsenkirchen. Admincamp is a great event with lots of technical content and no advertises, organized by Rudi Knegt and some more. I enjoy it very much to be again part of it, this year i will prepare three sessions with Klaus Bild.

41st DNUG will be at 11. and 12. November in Leipzig. I made some session proposals and will see if i can speak there and meet the german ICS community.

Last but not least Social Connections VII will be in Stockholm at 13th and 14th november. Agenda is still open, but i made a session proposal and see forward to meet the Connections User group there.

Command history wsadmin on Linux

Missing command history on Linux is a little problem when using command line utilities like wsadmin, db2, sqlplus and so on.

I found a solution for this today.

You can use rlwrap to get command history for all applications on the console and it is possible to recall and edit the commands. Rlwrap uses readline.

Installation on CentOS:

yum install readline-static gcc make
tar -xvzf rlwrap-0.41.tar.gz
cd rlwrap-0.41
./configure
make
make install

Call rlwrap with wsadmin:

rlwrap -r /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -username wasadmin -password password

rlwrap and db2

rlwrap -r db2

Use rlwrap everytime with alias

vim ~/.bash_profile
export WAS_HOME=/opt/IBM/WebSphere/AppServer
export DMGR=Dmgr01
alias db2='rlwrap -r db2'
alias wsadmin='cd $WAS_HOME/profiles/$DMGR/bin;rlwrap -r ./wsadmin.sh -lang jython'

Social Connections VI in Prague

featured1

This week starts in the beautiful town Prague with Social Connections VI. I met great people and first of all i want to thank the organisation team for this great event.

At the end we made the traditional image with all attendees.

Foto © 2014 by Oli Heinz

Foto ©2014 by Oli Heinz

I enjoyed two very delicious dinners and had great discussions around IBM ICS, met old and new friends. After years of tweets, forum entries and virtual talks i finally met Martin in person and had an entertaining evening with him and Sjaak.

Foto © 2014 by Oli Heinz

Foto ©2014 by Oli Heinz

Big thanks to Oliver Heinz who made fantastic photos of prague, us and around the event. All pictures in this blog posts are made by him.

My session “Script it!

This time i made a session without support of Klaus or Sharon, but i was happy with the result and i hope that some attendees will help to get the IBMCNX Community scripts more complete.

"Foto by Oli Heinz (http://twitter.com/oliheinz)"

Foto ©2014 by Oli Heinz

And for everyone the offer again, you see the different kinds of persistent Skype group chats, if you want to join, send me a short message.

During this week we heared several announcements:

I see forward to Social Connections VII and hope to meet lots of you there!

New version of “Administration Scripts for WebSphere”

As preparation for Social Connections VI in Prague next week i redesigned the “Administration Scripts for IBM Websphere“.

Some highlights:

  • all scripts are moved to a subfolder with DMGR/bin (folder name: ibmcnx)
  • tested in multinode environments
  • added some classes everybody can use for his own scripts
  • adding policies to libraries (personal and communities) are using search now

New scripts:

  • documentation of all jvm settings of each application server
  • create a file with all documentation in one step
  • create cluster members for additional nodes

Sharon created a document with the content of all of our presentations and collected several tipps all around connections and community scripts. She will share this next time. We started to share parts of this document and more documentations (installation, usage) for scripts and IBM Connections on:

Scripting101.org

The new version can be downloaded from: