Proposal for a location-based login detection/prevention system

This is a suggestion that will probably take a while to implement, and it might not be feasible at all to realize it, but I figured I might shoot it anyway:

The other day, when I tried to log on to my Google account from a different country than I regularly am in (through an app service that apparently goes through third-party servers), Google blocked that successful login and offered me the choice to allow it, or to check if my account had been hacked.

I must say I quite like the idea. I'm wondering if something like that could be implemented in Virtualmin for login to shell, FTP, Dovecot, Postfix and so on.

Most dictionary attacks we see certainly come from countries/regions other than the one the user is actually in, so it might be an idea to at least inform about logins from unusual IP ranges. I guess Google and others implemented this for a good reason. ;)

Of course the user would need to have a way of allowing logins from other areas, preemptively or after being informed about a block or so.

I think a system like this could help a good deal with mitigating the increasing problem of users' mail/FTP accounts that get hacked through malware on their computers. Please feel free to think about it when your to-do list allows for it! :)

Status: 
Active

Comments

Yeah, I've seen this used as well for certain high-value accounts - if the login is from a new PC or country, it triggers additional verification.

However, since Webmin and Virtualmin now support two-factor authentication, I'm not sure if it is necessarily worth the effort to implement. Two-factor completely protects you against password theft all the time, rather than needing some complex logic to determine when extra validation is required.

Does that two-factor authentication also apply to logging in to Postfix, Dovecot, ProFTPD and SSH? ;)

No. However, I don't know of any way virtualmin could add new rules based on the client IP to SSH, Dovecot or Postfix logins.

Unless maybe we implemented a custom PAM module, but that seems outside the scope of what Virtualmin was designed to do (and may already exist).

Yep that's right... So maybe instead of the "prevention" part, first a "detection"?

So that in case of suspicious logins, e.g. "user normally logs in from country X or using ISP Y, and now they're logging in from China", which could be derived from log files, the administrator can be informed to investigate the matter?

Sure, that could be done. But again it seems like something that doesn't really belong in Virtualmin, and is probably already provided by some other open source project (along the lines of fail2ban).

Well yeah, it's possible.

I'm using CSF/LFD for that purpose, and it can do a number of things, but not really the specific combination "keep a list of usual login origins, scan logs for logins, and send a warning if a login occurs from an unusual origin". I think that's quite specific and possibly not covered by the usual login failure detection applications. I certainly wouldn't know how to get LFD to do that kind of thing. :)

As for where Virtualmin's scope ends... That's of course always open to debate, yeah. I mean, if detecting suspicious logins is beyond its scope, then one could argue that limiting the rate of emails processed by Postfix is too. But apparently that didn't keep you. ;)

Email rate limiting was relatively easy to add, because an a tool existed already (milter-greylist) to do most of the work.

If there was an open-source package out there already that did log scanning and email notification about failed logins, I would be more open to adding support for it in Virtualmin.