RE: Detecting Brute-Force and Dictionary attacks
- From: Master Control Program <jonlin@xxxxxxxxxx>
- Date: Fri, 20 Oct 2006 13:52:32 EDT
I am looking for a good tool to detect brute-force and dictionary attacks o=
n user accounts on a Linux system . The tool should also have the intellig=
ence to differntiate between user mistakes and actual brute-force/dictiona=
ry attacks and reduce the false positives. SuSE/RedHat included security t=
ools are not helping in this case .=20
There is a purely netfilter/iptables solution here:
that example is for SSH, but you can probably tweak it to do what you need.
For kernels that don't have all the netfilter modules compiled in, I wrote
a program to monitor my logs and add a rule to the INPUT chain to block
repeated connections with accounts that don't exist. The actual iptables
command looks something like:
/sbin/iptables -A INPUT -p tcp --dport 22 -s $IP -j DROP
End of line.