Focus on Linux
Re: Detecting Brute-Force and Dictionary attacks Oct 22 2006 12:12AM
vachanta gmail com
>The tool should also have the intelligence to >differntiate between user mistakes and actual >brute-force/dictionary attacks and reduce the >false positives. SuSE/RedHat included security >tools are not helping in this case .

Hello Shashi Kanth,

I dont think there is any intelligent tool that can differentiate between user mistakes and actual brute force but with integrating information from multiple log files(depending on what services your linux machine is offering to the outside world), we can effectively detect failed login attempts and act on it appropriately

That can be automated easily using tools like Swatch(or similar watchdog programs) and/or some scripting ( i would choose perl for parsing the appropriate service deamon log files to look for things like below)

Here are somethings i would Trigger alerts/actions on:
-Multiple failed logins from the same IP address
-Multiple usernames from the same IP address
-Multiple Logins for a single account coming from many different IP addresses
-Failed login attempts from alphabetically sequential usernames or passwords

etc...

some advanced stuff:

if you have enough resources, research some commonly available password cracking tools and identify some common/unique traits of those programs and embed that intelligence into your script to trigger on them.

Hope that helps! and please do keep the list posted if you do find some other way/tool.

Learn,share and experience

cheers,

-Venkata Achanta

vachanta AT gmail.com

Learn and experience, mentor and share

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus