Re: Detecting Brute-Force and Dictionary attacks
- From: Hans Wolters <php@xxxxxxxxx>
- Date: Fri, 20 Oct 2006 22:21:44 +0200
On 19-okt-2006, at 19:42, Cor Gest wrote:
Some entity AKA "Shashi Kanth Boddula" <shashi.boddula@xxxxxxxxxx>
wrote this mindboggling stuff, while thinking about the OS-BBQ.
(selectively-snipped-or-not-p)Hi All,
I am looking for a good tool to detect brute-force and dictionary attacks on user accounts on a Linux system . The tool should also have the intelligence to differntiate between user mistakes and actual brute-force/dictionary attacks and reduce the false positives. SuSE/RedHat included security tools are not helping in this case .
Please , anyone knows any third party security tool or any opensource security tool which solves my problem ?
A basic is allready in the system in the config of /etc/login.defs
login_delay 'nn sec' and max_retry 'nn' and log the fails.
A delay of 5 minutes after 2 failed is annoying enoug to most.
But how do you want to differentiate between "usert" and "uiser" ,
wich can be honest typoos or part of the dictionary , since dicts
trive on those 'typoos'.
I think the OP would like to detect common attacks like the ssh worms
running around in the wild. Maybe an oracle machine, no not a machine
running oracle, should be available for dynamic locations.
I would suggest to log to a script before it gets written to the syslog. Within
the script (or daemon) it could be detected how fast a user is trying to log
on:
Oct 15 13:40:14 xxxxxi sshd[4885]: Could not reverse map address 200.x.x.x.
Oct 15 13:40:17 xxxxxi sshd[4887]: Could not reverse map address 200.x.x.x.
Oct 15 13:40:18 xxxxxi sshd[4889]: Could not reverse map address 200.x.x.x.
Oct 15 13:40:20 xxxxxi sshd[4891]: Could not reverse map address 200.x.x.x.
Oct 15 13:40:21 xxxxxi sshd[4893]: Could not reverse map address 200.x.x.x.
Oct 15 13:40:23 xxxxxi sshd[4898]: Could not reverse map address 200.x.x.x.
Any user that would type this fast would need to get a bonus or should be banned,
that could be arranged by the daemon/script.
It is nice to block these users on a firewall since they take up unwanted space
in your /var/adm/auth.log or simular logs...
Hans
- References:
- Detecting Brute-Force and Dictionary attacks
- From: Shashi Kanth Boddula
- Re: Detecting Brute-Force and Dictionary attacks
- From: Cor Gest
- Detecting Brute-Force and Dictionary attacks
- Prev by Date: RE: Detecting Brute-Force and Dictionary attacks
- Next by Date: Re: Detecting Brute-Force and Dictionary attacks
- Previous by thread: Re: Detecting Brute-Force and Dictionary attacks
- Next by thread: Re: Detecting Brute-Force and Dictionary attacks
- Index(es):
