RE: Detecting Brute-Force and Dictionary attacks



I am looking for a good tool to detect brute-force and dictionary attacks o=
n user accounts on a Linux system . The tool should also have the intellig=
ence to differntiate between user mistakes and actual brute-force/dictiona=
ry attacks and reduce the false positives. SuSE/RedHat included security t=
ools are not helping in this case .=20

There is a purely netfilter/iptables solution here:
http://msgs.securepoint.com/cgi-bin/get/netfilter-0505/62.html

that example is for SSH, but you can probably tweak it to do what you need.

For kernels that don't have all the netfilter modules compiled in, I wrote
a program to monitor my logs and add a rule to the INPUT chain to block
repeated connections with accounts that don't exist. The actual iptables
command looks something like:

/sbin/iptables -A INPUT -p tcp --dport 22 -s $IP -j DROP






End of line.