Re: Detecting Brute-Force and Dictionary attacks

On Wednesday 18 October 2006 03:01, Shashi Kanth Boddula wrote:
Hi All,  

I am looking for a good tool to detect brute-force and dictionary attacks
on user accounts on a Linux system . The tool should also have the
intelligence to differntiate between user mistakes and actual
brute-force/dictionary attacks and reduce the false positives. SuSE/RedHat
included security tools are not helping in this case .

You're going to need a modified login(1) which will record the passwords used.
An obvious security risk, particularly as this binary is far more likely to
be part of an attacker's kit. You'll definitely want to examine the source,
and test it on a lab machine with at least a HIDS installed!

Then you're going to have to decide on a mechanism for detecting an actual
dictionary attack, and periodically parse the resulting file. A simpler
solution may lie in just counting failed logins per username.

Even that is complicated by SuSE (at least 10.0, which is the only version I
have running here, has a broken lastb. The first time I ran it, it gave the
standard message about /var/log/btmp possibly having been removed. So I did
the following:

touch /var/log/btmp
chown root:tty /var/log/btmp
chmod 600 /var/log/btmp /var/log/btmp

Running lastb then gave me:

# lastbfermi:~ # lastb

btmp begins Fri Oct 20 09:49:00 2006

But it still doesn't record failed logins. You might try playing with
ownership and permissions. I simply set it up to match a Fedora Core 4
machine as closely as possible, given that under SuSE ownership is root:tty,
and Fedora assigns root:utmp.

lastb was also broken from Red Hat 7 (at least) until, if my old system
fingerprinting notes are reliable, Fedora Core 3. I won't have a RHEL server
available until probably next week, so I can't any results for that.

Please , anyone knows any third party security tool or any opensource
security  tool which solves my problem ?

I very much doubt such a thing exists in a generic form--it's just such an
obvious 'Bad Guy' sort of thing. I believe it does exist as a modified sshd,
though, as part of a Honeypot project.


Greg Metcalfe