[horde] Blocking Active Sync Client

Arjen de Korte arjen+horde at de-korte.org
Tue Mar 17 08:01:45 UTC 2015 

Please do not top-post.

Citeren grupo correo <grupodecorreo10 at gmail.com>:

> Hi all.
>
> For this application in our enviroment we use fail2ban for ban this App.
> It's a very  powerful tool. This software read all logs.
>
> Regards.

This will fail to solve the underlying problem (storing  
username/password) in the Amazon Cloud service. The damage has already  
been done when these services attempt to connect to your server. You  
may be able to block the connection attempts on IP level, but the  
credentials have already been stored in a location where the topic  
starter doesn't want them before the first connection is made.

In this particular case, using fail2ban will actually worsen the  
problem, since it will prevent you from finding out which users are  
using this Microsoft/Accompli Outlook App (they will never reach the  
point where the username/password is sent over the wire). As Jan said,  
a pre-authenticate hook is the solution here, since you will need to  
block the user account, to prevent potential abuse.

> 2015-03-13 15:38 GMT+01:00 Jan Schneider <jan at horde.org>:
>
>>
>> Zitat von Arjen de Korte <arjen+horde at de-korte.org>:
>>
>>
>>  Citeren Jan Schneider <jan at horde.org>:
>>>
>>>  Zitat von Samuel Wolf <samuel at sheepflock.de>:
>>>>
>>>>  Zitat von Klaus Steinberger <klaus.steinberger at physik.uni-muenchen.de>:
>>>>>
>>>>>  Hi,
>>>>>>
>>>>>> we want to block for all users some types of Client. Especially the
>>>>>> Microsoft/Accompli  Outlook App.
>>>>>>
>>>>>> I can block a client for a single user after he has connected, but I
>>>>>> want to
>>>>>> block this App for any user and forever.
>>>>>>
>>>>>> Reason:  The APP doesn't access Actice Sync directly, instead they use
>>>>>> a bunch
>>>>>> of servers at the Amazon Cloud. The bad thing is that the password
>>>>>> will be
>>>>>> stored at the Amazon Cloud.
>>>>>>
>>>>>>
>>>>>> The App (or better the servers behind) show up like this (the ID is
>>>>>> user
>>>>>> dependent):
>>>>>>
>>>>>>
>>>>>> Id: 289C17FE1CA68940
>>>>>> Policy Key: 0
>>>>>> Programm: Outlook-iOS-Android/1.0
>>>>>> Modell: Outlook for iOS and Android
>>>>>> Eindeutiger Name: Outlook for iOS and Android
>>>>>> OS: Outlook for iOS and Android 1.0
>>>>>> EAS Version: 14.1
>>>>>> Gespeicherter Heartbeat (Sekunden): 540
>>>>>>
>>>>>> Sincerly,
>>>>>> Klaus
>>>>>>
>>>>>> - --
>>>>>> Rechnerbetriebsgruppe / IT, Fakultät für Physik
>>>>>> Klaus Steinberger
>>>>>> FAX: +49 89 28914280
>>>>>> Tel: +49 89 28914287--
>>>>>> Horde mailing list
>>>>>> Frequently Asked Questions: http://horde.org/faq/
>>>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>>>>
>>>>>
>>>>> Hi Klaus,
>>>>>
>>>>> not exactly what you want, but may be a idea.
>>>>> I allow only special clients via Apache config:
>>>>>
>>>>> ############################################################
>>>>> ##############
>>>>>       <Directory /var/www/https/horde/>
>>>>>               Order Deny,Allow
>>>>>               Deny from All
>>>>>
>>>>>       <Files "rpc.php">
>>>>>         SetEnvIf User-Agent "Android/4.0.4-EAS-1.3" smartphone
>>>>>         SetEnvIf User-Agent "motorola-XT910/1.0" smartphone
>>>>>         SetEnvIf User-Agent "motorola-XT890/1.0" smartphone
>>>>>         SetEnvIf User-Agent "Android/4.1.1-EAS-1.3" smartphone
>>>>>       SetEnvIf User-Agent "Android/5.0.2-EAS-2.0" smartphone
>>>>>       Order Deny,Allow
>>>>>       Deny from All
>>>>>         Allow from env=smartphone
>>>>>       </Files>
>>>>>
>>>>>       </Directory>
>>>>> ############################################################
>>>>> ##############
>>>>>
>>>>> Samuel
>>>>>
>>>>> --
>>>>> Horde mailing list
>>>>> Frequently Asked Questions: http://horde.org/faq/
>>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>>>
>>>>
>>>> Alternatively you can create a preauthenticate hook that sniffs on the
>>>> global $browser object.
>>>>
>>>
>>> I don't think either of these solutions will prevent from happing what
>>> the topic starter intends to do. The username and password may have been
>>> stored in the Amazon Cloud before the connection is made (and probably even
>>> if the connection fails).
>>>
>>> To make sure that the username/password combinations can't be abused,
>>> you'd need to block user accounts once you find that they are accessed
>>> through this service, rather than just blocking ActiveSync sessions (the
>>> damage has been done already by that time).
>>>
>>
>> That's what a preauthenticate hook does.
>>
>>  Be sure to inform your users (and helpdesk) about this policy, since my
>>> guess is that this will lead to users calling support why their accounts
>>> have been blocked.
>>>
>>
>> Indeed. I'm not sure if we destroy the session after a failing
>> preauthenticate hook, but if not, he can push a $notification in the hook
>> too.
>>
>> --
>> Jan Schneider
>> The Horde Project
>> http://www.horde.org/
>> https://www.facebook.com/hordeproject
>>
>> --
>> Horde mailing list
>> Frequently Asked Questions: http://horde.org/faq/
>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>
> --
> Horde mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: horde-unsubscribe at lists.horde.org



-- 
This message was sent from a mailinglist subscription address.
For off-list replies, you must remove the address extension.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 11647 bytes
Desc: S/MIME Signature
URL: <http://lists.horde.org/archives/horde/attachments/20150317/9ea93052/attachment.bin>

More information about the horde mailing list