Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Linux
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Detecting Brute-Force and Dictionary attacks

from [Alec Muffett] Network Security [Permanent Link]
Subject: Re: Detecting Brute-Force and Dictionary attacks
Date: Thu, 19 Oct 2006 16:12:46 +0100 


I am looking for a good tool to detect brute-force and dictionary
attacks on user accounts on a Linux system . The tool should also
have the intelligence to differntiate between user mistakes and
actual brute-force/dictionary attacks and reduce the false
positives. SuSE/RedHat included security tools are not helping in
this case.


I must admit I've always thought of this problem as being one which
collapses into one of two other scenarios:

  1) You lose a copy of your password file and someone runs a
     password-guesser against it, offline; they then find a weak
     password and log directly and cleanly into your machine, and you
     lose, game over.

  2) You audit your system for all failed authentication attempts -
     ssh, telnet (ick!), IMAP, POP, etc - and detect a chain of failed
     login attempts on any network-enabled authenticating service.
     What happens next ideally requires human intervention, for
     reasons which I explored when I wrote-up my complaints regarding
     three-strikes lockout:

http://blogs.sun.com/alecm?entry=three_strikes_password_security_considered

So I too would be interested in who's tried addressing this problem,
and what authentication mechanism they are bothering to check; the
ideal would be some sort of real-time analysis daemon that plugs into
the PAM stack when capturing/returning failed authentication attempts.

Assuming everyone uses PAM for everything.  :-)

Alas, reality dictates that we'll probably get 
"just another log scraper"(TM)

        - alec
        http://www.crypticide.com/dropsafe/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Detecting Brute-Force and Dictionary attacks, Cor Gest
Next by Date:  RE: Detecting Brute-Force and Dictionary attacks, Master Control Program
Previous by Thread:  Re: Detecting Brute-Force and Dictionary attacks, Hans Wolters
Next by Thread:  Re: Detecting Brute-Force and Dictionary attacks, Rob Creely
Indexes:  [Date] [Thread] [Top] [All Lists]