|
|
Focus on Linux
Detecting Brute-Force and Dictionary attacks Oct 18 2006 10:01AM Shashi Kanth Boddula (shashi boddula oracle com) (7 replies) Re: Detecting Brute-Force and Dictionary attacks Oct 26 2006 01:42PM shashi (shashi boddula oracle com) (1 replies) Re: Detecting Brute-Force and Dictionary attacks Oct 30 2006 02:22AM Jason Nicholls (jason mindsocket com au) Re: Detecting Brute-Force and Dictionary attacks Oct 22 2006 06:36PM Rob Creely (programmingart gmail com) Re: Detecting Brute-Force and Dictionary attacks Oct 20 2006 05:25PM Greg Metcalfe (metcalfegreg qwest net) Re: Detecting Brute-Force and Dictionary attacks Oct 20 2006 04:33PM rowland onobrauche (rowland onobrauche legendplc com) Re: Detecting Brute-Force and Dictionary attacks Oct 19 2006 05:42PM Cor Gest (cor clsnet nl) (1 replies) Re: Detecting Brute-Force and Dictionary attacks Oct 19 2006 03:12PM Alec Muffett (Alec Muffett uk sun com) RE: Detecting Brute-Force and Dictionary attacks Oct 19 2006 02:43PM John Forristel (SunGard-Chico) (John Forristel sungardbi-tech com) |
|
Privacy Statement |
On 19-okt-2006, at 19:42, Cor Gest wrote:
>
> Some entity AKA "Shashi Kanth Boddula" <shashi.boddula (at) oracle (dot) com [email concealed]>
> wrote this mindboggling stuff, while thinking about the OS-BBQ.
>
> (selectively-snipped-or-not-p)
>> Hi All,
>>
>> I am looking for a good tool to detect brute-force and dictionary
>> attacks on user accounts on a Linux system . The tool should also
>> have the intelligence to differntiate between user mistakes and
>> actual brute-force/dictionary attacks and reduce the false
>> positives. SuSE/RedHat included security tools are not helping in
>> this case .
>>
>> Please , anyone knows any third party security tool or any
>> opensource security tool which solves my problem ?
>
> A basic is allready in the system in the config of /etc/login.defs
> login_delay 'nn sec' and max_retry 'nn' and log the fails.
> A delay of 5 minutes after 2 failed is annoying enoug to most.
>
> But how do you want to differentiate between "usert" and "uiser" ,
> wich can be honest typoos or part of the dictionary , since dicts
> trive on those 'typoos'.
I think the OP would like to detect common attacks like the ssh worms
running around in the wild. Maybe an oracle machine, no not a machine
running oracle, should be available for dynamic locations.
I would suggest to log to a script before it gets written to the
syslog. Within
the script (or daemon) it could be detected how fast a user is trying
to log
on:
Oct 15 13:40:14 xxxxxi sshd[4885]: Could not reverse map address
200.x.x.x.
Oct 15 13:40:17 xxxxxi sshd[4887]: Could not reverse map address
200.x.x.x.
Oct 15 13:40:18 xxxxxi sshd[4889]: Could not reverse map address
200.x.x.x.
Oct 15 13:40:20 xxxxxi sshd[4891]: Could not reverse map address
200.x.x.x.
Oct 15 13:40:21 xxxxxi sshd[4893]: Could not reverse map address
200.x.x.x.
Oct 15 13:40:23 xxxxxi sshd[4898]: Could not reverse map address
200.x.x.x.
Any user that would type this fast would need to get a bonus or
should be banned,
that could be arranged by the daemon/script.
It is nice to block these users on a firewall since they take up
unwanted space
in your /var/adm/auth.log or simular logs...
Hans
[ reply ]