Re: Detecting Brute-Force and Dictionary attacks


I am looking for a good tool to detect brute-force and dictionary
attacks on user accounts on a Linux system . The tool should also
have the intelligence to differntiate between user mistakes and
actual brute-force/dictionary attacks and reduce the false
positives. SuSE/RedHat included security tools are not helping in
this case.

I must admit I've always thought of this problem as being one which
collapses into one of two other scenarios:

1) You lose a copy of your password file and someone runs a
password-guesser against it, offline; they then find a weak
password and log directly and cleanly into your machine, and you
lose, game over.

2) You audit your system for all failed authentication attempts -
ssh, telnet (ick!), IMAP, POP, etc - and detect a chain of failed
login attempts on any network-enabled authenticating service.
What happens next ideally requires human intervention, for
reasons which I explored when I wrote-up my complaints regarding
three-strikes lockout:

http://blogs.sun.com/alecm?entry=three_strikes_password_security_considered

So I too would be interested in who's tried addressing this problem,
and what authentication mechanism they are bothering to check; the
ideal would be some sort of real-time analysis daemon that plugs into
the PAM stack when capturing/returning failed authentication attempts.

Assuming everyone uses PAM for everything. :-)

Alas, reality dictates that we'll probably get
"just another log scraper"(TM)

- alec
http://www.crypticide.com/dropsafe/