Focus on Linux
Re: Detecting Brute-Force and Dictionary attacks Oct 25 2006 07:54AM
Denis Pugnere (d pugnere ipnl in2p3 fr) (1 replies)

> I am looking for a good tool to detect brute-force and dictionary attacks on
> user >accounts on a Linux system . The tool should also have the intelligence
> to differntiate >between user mistakes and actual brute-force/dictionary
> attacks and reduce the >false positives. SuSE/RedHat included security tools
> are not helping in this case .
>
> Please , anyone knows any third party security tool or any opensource security
> tool >which solves my problems.

Hello,

Take a look at pam_abl[1], it seems to fill your requirements.
it works great !

from the site pam_abl "Provides auto blacklisting of hosts and users
responsible for repeated failed authentication attempts. Generally
configured so that blacklisted users still see normal login prompts but
are guaranteed to fail to authenticate."

It can block remote hosts who had already tried n times ssh accounts, with
thresholds like 10 failed attempts per hour, and/or 30 failed attempts per
day.

in this example, the rule is :
host_rule=*:10/1h,30/1d

It can also block accounts on thresholds.

[1] : http://www.hexten.net/pam_abl/

Regards
denis

[ reply ]
Re: Detecting Brute-Force and Dictionary attacks Oct 25 2006 07:04PM
Max Schubert (security webwizarddesign com)


 

Privacy Statement
Copyright 2010, SecurityFocus