Re: Detecting Brute-Force and Dictionary attacks
- From: "Greg Metcalfe" <metcalfegreg@xxxxxxxxx>
- Date: Fri, 20 Oct 2006 10:25:16 -0700
On Wednesday 18 October 2006 03:01, Shashi Kanth Boddula wrote:
Hi All,You're going to need a modified login(1) which will record the passwords used.
I am looking for a good tool to detect brute-force and dictionary attacks
on user accounts on a Linux system . The tool should also have the
intelligence to differntiate between user mistakes and actual
brute-force/dictionary attacks and reduce the false positives. SuSE/RedHat
included security tools are not helping in this case .
An obvious security risk, particularly as this binary is far more likely to
be part of an attacker's kit. You'll definitely want to examine the source,
and test it on a lab machine with at least a HIDS installed!
Then you're going to have to decide on a mechanism for detecting an actual
dictionary attack, and periodically parse the resulting file. A simpler
solution may lie in just counting failed logins per username.
Even that is complicated by SuSE (at least 10.0, which is the only version I
have running here, has a broken lastb. The first time I ran it, it gave the
standard message about /var/log/btmp possibly having been removed. So I did
the following:
touch /var/log/btmp
chown root:tty /var/log/btmp
chmod 600 /var/log/btmp /var/log/btmp
Running lastb then gave me:
# lastbfermi:~ # lastb
btmp begins Fri Oct 20 09:49:00 2006
But it still doesn't record failed logins. You might try playing with
ownership and permissions. I simply set it up to match a Fedora Core 4
machine as closely as possible, given that under SuSE ownership is root:tty,
and Fedora assigns root:utmp.
lastb was also broken from Red Hat 7 (at least) until, if my old system
fingerprinting notes are reliable, Fedora Core 3. I won't have a RHEL server
available until probably next week, so I can't any results for that.
Please , anyone knows any third party security tool or any opensource
security tool which solves my problem ?
I very much doubt such a thing exists in a generic form--it's just such an
obvious 'Bad Guy' sort of thing. I believe it does exist as a modified sshd,
though, as part of a Honeypot project.
Regards,
Greg Metcalfe
- References:
- Detecting Brute-Force and Dictionary attacks
- From: Shashi Kanth Boddula
- Detecting Brute-Force and Dictionary attacks
- Prev by Date: Re: Detecting Brute-Force and Dictionary attacks
- Next by Date: Re: Detecting Brute-Force and Dictionary attacks
- Previous by thread: Re: Detecting Brute-Force and Dictionary attacks
- Next by thread: Re: Detecting Brute-Force and Dictionary attacks
- Index(es):
