RE: Detecting Brute-Force and Dictionary attacks



I am looking for a good tool to detect brute-force and dictionary attacks o=
n user accounts on a Linux system . The tool should also have the intellig=
ence to differntiate between user mistakes and actual brute-force/dictiona=
ry attacks and reduce the false positives. SuSE/RedHat included security t=
ools are not helping in this case .=20

There is a purely netfilter/iptables solution here:
http://msgs.securepoint.com/cgi-bin/get/netfilter-0505/62.html

that example is for SSH, but you can probably tweak it to do what you need.

For kernels that don't have all the netfilter modules compiled in, I wrote
a program to monitor my logs and add a rule to the INPUT chain to block
repeated connections with accounts that don't exist. The actual iptables
command looks something like:

/sbin/iptables -A INPUT -p tcp --dport 22 -s $IP -j DROP






End of line.



Relevant Pages

  • Re: Multiple Failed Password Change Attempts!
    ... is not included and non default user accounts are being used which indicates ... auditing for "logon events" which can also help detect attacks. ... On both occasions about 50 change password attempts ... > Attached is an example from my security log of what has happened. ...
    (microsoft.public.win2000.security)
  • Re: Detecting Brute-Force and Dictionary attacks
    ... I am looking for a good tool to detect brute-force and dictionary ... attacks on user accounts on a Linux system. ... anyone knows any third party security tool or any ...
    (Focus-Linux)