Focus on Linux
RE: Detecting Brute-Force and Dictionary attacks Oct 20 2006 01:52PM
Master Control Program (jonlin tesuji org)
> I am looking for a good tool to detect brute-force and dictionary attacks o=
> n user accounts on a Linux system . The tool should also have the intellig=
> ence to differntiate between user mistakes and actual brute-force/dictiona=
> ry attacks and reduce the false positives. SuSE/RedHat included security t=
> ools are not helping in this case .=20

There is a purely netfilter/iptables solution here:
http://msgs.securepoint.com/cgi-bin/get/netfilter-0505/62.html

that example is for SSH, but you can probably tweak it to do what you need.

For kernels that don't have all the netfilter modules compiled in, I wrote
a program to monitor my logs and add a rule to the INPUT chain to block
repeated connections with accounts that don't exist. The actual iptables
command looks something like:

/sbin/iptables -A INPUT -p tcp --dport 22 -s $IP -j DROP

End of line.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus