Focus on Linux
Detecting Brute-Force and Dictionary attacks Oct 18 2006 10:01AM
Shashi Kanth Boddula (shashi boddula oracle com) (7 replies)
Re: Detecting Brute-Force and Dictionary attacks Oct 26 2006 01:42PM
shashi (shashi boddula oracle com) (1 replies)
Re: Detecting Brute-Force and Dictionary attacks Oct 30 2006 02:22AM
Jason Nicholls (jason mindsocket com au)
Re: Detecting Brute-Force and Dictionary attacks Oct 22 2006 06:36PM
Rob Creely (programmingart gmail com)
Re: Detecting Brute-Force and Dictionary attacks Oct 20 2006 05:25PM
Greg Metcalfe (metcalfegreg qwest net)
On Wednesday 18 October 2006 03:01, Shashi Kanth Boddula wrote:
> Hi All,  
>
> I am looking for a good tool to detect brute-force and dictionary attacks
> on user accounts on a Linux system . The tool should also have the
> intelligence to differntiate between user mistakes and actual
> brute-force/dictionary attacks and reduce the false positives. SuSE/RedHat
> included security tools are not helping in this case .
>
You're going to need a modified login(1) which will record the passwords used.
An obvious security risk, particularly as this binary is far more likely to
be part of an attacker's kit. You'll definitely want to examine the source,
and test it on a lab machine with at least a HIDS installed!

Then you're going to have to decide on a mechanism for detecting an actual
dictionary attack, and periodically parse the resulting file. A simpler
solution may lie in just counting failed logins per username.

Even that is complicated by SuSE (at least 10.0, which is the only version I
have running here, has a broken lastb. The first time I ran it, it gave the
standard message about /var/log/btmp possibly having been removed. So I did
the following:

touch /var/log/btmp
chown root:tty /var/log/btmp
chmod 600 /var/log/btmp /var/log/btmp

Running lastb then gave me:

# lastbfermi:~ # lastb

btmp begins Fri Oct 20 09:49:00 2006

But it still doesn't record failed logins. You might try playing with
ownership and permissions. I simply set it up to match a Fedora Core 4
machine as closely as possible, given that under SuSE ownership is root:tty,
and Fedora assigns root:utmp.

lastb was also broken from Red Hat 7 (at least) until, if my old system
fingerprinting notes are reliable, Fedora Core 3. I won't have a RHEL server
available until probably next week, so I can't any results for that.

> Please , anyone knows any third party security tool or any opensource
> security  tool which solves my problem ?

I very much doubt such a thing exists in a generic form--it's just such an
obvious 'Bad Guy' sort of thing. I believe it does exist as a modified sshd,
though, as part of a Honeypot project.

Regards,

Greg Metcalfe

[ reply ]
Re: Detecting Brute-Force and Dictionary attacks Oct 20 2006 04:33PM
rowland onobrauche (rowland onobrauche legendplc com)
Re: Detecting Brute-Force and Dictionary attacks Oct 19 2006 05:42PM
Cor Gest (cor clsnet nl) (1 replies)
Re: Detecting Brute-Force and Dictionary attacks Oct 20 2006 08:21PM
Hans Wolters (php xs4all nl)
Re: Detecting Brute-Force and Dictionary attacks Oct 19 2006 03:12PM
Alec Muffett (Alec Muffett uk sun com)
RE: Detecting Brute-Force and Dictionary attacks Oct 19 2006 02:43PM
John Forristel (SunGard-Chico) (John Forristel sungardbi-tech com)


 

Privacy Statement
Copyright 2010, SecurityFocus