Hi!

I consider enabling anonymous logins on a stand-alone ejabberd server. I
am wondering how realistic the following 2 security issues are:

1)
Anonymous login open the possibility for abuse of the resources, ranging
from just hosting a groupchat that doens't fit the purpose of the
server, to (theoretical) possibility of herding a botnet over xmpp. Has
anybody experiences with abuse like this? How common is it? Is it easy
to mitigate?

2)
When creating an anonymous account with sasl-anonymous on eJabberd, an
account with an empty password is created. Using a client that accepts
empty passwords, it is possible to login a second time on the same
account with an different resource. So knowing the jid (not really a
secret) of the anonymous account will be enough to hijack the account.
Is this a real-life scenario? Should using an anonymous account from 2
different resources be allowed?

thanks for your input on this!

Best wishes,

Winfried

_______________________________________________
JAdmin mailing list
FAQ: http://www.jabber.org/discussion-lists/jadmin-faq
Forum: http://www.jabberforum.org/forumdisplay.php?f=19
Info: http://mail.jabber.org/mailman/listinfo/jadmin
Unsubscribe: JAdmin-unsubscribe (AT) jabber (DOT) org
_______________________________________________

Hallo Winfried!

On 06/18/2008 5:35 AM, Winfried Tilanus wrote:
> Hi!
>
> I consider enabling anonymous logins on a stand-alone ejabberd server. I
> am wondering how realistic the following 2 security issues are:
>
> 1)
> Anonymous login open the possibility for abuse of the resources, ranging
> from just hosting a groupchat that doens't fit the purpose of the
> server, to (theoretical) possibility of herding a botnet over xmpp. Has
> anybody experiences with abuse like this? How common is it? Is it easy
> to mitigate?

Will this be an open server that anyone can access? In that case, I'd be
concerned about using SASL ANONYMOUS. Or at least I know that I would
not deploy it at the jabber.org service -- we have enough trouble with
the regular users. :)

> 2)
> When creating an anonymous account with sasl-anonymous on eJabberd, an
> account with an empty password is created. Using a client that accepts
> empty passwords, it is possible to login a second time on the same
> account with an different resource. So knowing the jid (not really a
> secret) of the anonymous account will be enough to hijack the account.

What does such a JID look like? Is it easily discovered?

> Is this a real-life scenario? Should using an anonymous account from 2
> different resources be allowed?

Probably not.

Peter

--
Peter Saint-Andre
https://stpeter.im/


_______________________________________________
JAdmin mailing list
FAQ: http://www.jabber.org/discussion-lists/jadmin-faq
Forum: http://www.jabberforum.org/forumdisplay.php?f=19
Info: http://mail.jabber.org/mailman/listinfo/jadmin
Unsubscribe: JAdmin-unsubscribe (AT) jabber (DOT) org
_______________________________________________

On 06/18/2008 08:47 PM, Peter Saint-Andre wrote:

Hi,

> Will this be an open server that anyone can access? In that case, I'd be
> concerned about using SASL ANONYMOUS. Or at least I know that I would
> not deploy it at the jabber.org service -- we have enough trouble with
> the regular users. :)

The http-bind will be accessible to anyone. It won't be advertised as a
jabberserver. And I have never seen any probes for jabberservers or
http-bind in my logs. But security through obscurity shouldn't be the
way to go...

>> 2)
>> When creating an anonymous account with sasl-anonymous on eJabberd, an
>> account with an empty password is created. Using a client that accepts
>> empty passwords, it is possible to login a second time on the same
>> account with an different resource. So knowing the jid (not really a
>> secret) of the anonymous account will be enough to hijack the account.
>
> What does such a JID look like? Is it easily discovered?

22473608281213782396225677@localhost

I suppose it can be discovered if the anonymous client participates in a
chatroom with an untrustworthy moderator or with a too open configuration.

>> Is this a real-life scenario? Should using an anonymous account from 2
>> different resources be allowed?
>
> Probably not.

"Probably not" to the first of the second question? If it is to the
second question, I should build an ACL that regexes to the jids used by
anonymous logins and limit those to one session...

thanks,

Winfried
_______________________________________________
JAdmin mailing list
FAQ: http://www.jabber.org/discussion-lists/jadmin-faq
Forum: http://www.jabberforum.org/forumdisplay.php?f=19
Info: http://mail.jabber.org/mailman/listinfo/jadmin
Unsubscribe: JAdmin-unsubscribe (AT) jabber (DOT) org
_______________________________________________

On Thu, Jun 19, 2008 at 2:48 PM, Winfried Tilanus <winfried (AT) tilanus (DOT) com>
wrote:

> When creating an anonymous account with sasl-anonymous on eJabberd, an
> account with an empty password is created
>

Silly ejabberd design question, but: shouldn't this temporary account be
given a random password instead? (or at least marked as temporary in some
way so that when it logs out, it gets automagically deleted, and in the same
way the "normal" login procedure shouldn't allow logins to temporary
accounts).

--
- Norman Rasmussen
- Email: norman (AT) rasmussen (DOT) co.za
- Home page: http://norman.rasmussen.co.za/

_______________________________________________
JAdmin mailing list
FAQ: http://www.jabber.org/discussion-lists/jadmin-faq
Forum: http://www.jabberforum.org/forumdisplay.php?f=19
Info: http://mail.jabber.org/mailman/listinfo/jadmin
Unsubscribe: JAdmin-unsubscribe (AT) jabber (DOT) org
_______________________________________________

On 06/19/2008 7:20 AM, Norman Rasmussen wrote:
> On Thu, Jun 19, 2008 at 2:48 PM, Winfried Tilanus <winfried (AT) tilanus (DOT) com>
> wrote:
>
>> When creating an anonymous account with sasl-anonymous on eJabberd, an
>> account with an empty password is created
>>
>
> Silly ejabberd design question, but: shouldn't this temporary account be
> given a random password instead? (or at least marked as temporary in some
> way so that when it logs out, it gets automagically deleted, and in the same
> way the "normal" login procedure shouldn't allow logins to temporary
> accounts).

That seems reasonable.

Peter

--
Peter Saint-Andre
https://stpeter.im/


_______________________________________________
JAdmin mailing list
FAQ: http://www.jabber.org/discussion-lists/jadmin-faq
Forum: http://www.jabberforum.org/forumdisplay.php?f=19
Info: http://mail.jabber.org/mailman/listinfo/jadmin
Unsubscribe: JAdmin-unsubscribe (AT) jabber (DOT) org
_______________________________________________

On 06/19/2008 6:48 AM, Winfried Tilanus wrote:
> On 06/18/2008 08:47 PM, Peter Saint-Andre wrote:
>
> Hi,
>
>> Will this be an open server that anyone can access? In that case, I'd be
>> concerned about using SASL ANONYMOUS. Or at least I know that I would
>> not deploy it at the jabber.org service -- we have enough trouble with
>> the regular users. :)
>
> The http-bind will be accessible to anyone. It won't be advertised as a
> jabberserver. And I have never seen any probes for jabberservers or
> http-bind in my logs. But security through obscurity shouldn't be the
> way to go...
>
>>> 2)
>>> When creating an anonymous account with sasl-anonymous on eJabberd, an
>>> account with an empty password is created. Using a client that accepts
>>> empty passwords, it is possible to login a second time on the same
>>> account with an different resource. So knowing the jid (not really a
>>> secret) of the anonymous account will be enough to hijack the account.
>> What does such a JID look like? Is it easily discovered?
>
> 22473608281213782396225677@localhost
>
> I suppose it can be discovered if the anonymous client participates in a
> chatroom with an untrustworthy moderator or with a too open configuration.
>
>>> Is this a real-life scenario? Should using an anonymous account from 2
>>> different resources be allowed?
>> Probably not.
>
> "Probably not" to the first of the second question? If it is to the
> second question, I should build an ACL that regexes to the jids used by
> anonymous logins and limit those to one session...

The second question, because it seems to me as if these anonymous JIDs
are throw-away identities.

However, some of this may depend on the deployment scenario. Some people
may want anonymous JIDs like customer (AT) bigcompany (DOT) com, and each customer
is assigned a resource. Personally I think it's better to assign one JID
for each customer, though (more scalable).

Peter

--
Peter Saint-Andre
https://stpeter.im/


_______________________________________________
JAdmin mailing list
FAQ: http://www.jabber.org/discussion-lists/jadmin-faq
Forum: http://www.jabberforum.org/forumdisplay.php?f=19
Info: http://mail.jabber.org/mailman/listinfo/jadmin
Unsubscribe: JAdmin-unsubscribe (AT) jabber (DOT) org
_______________________________________________