Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Linux
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Detecting Brute-Force and Dictionary attacks

from [Hans Wolters] Network Security [Permanent Link]
Subject: Re: Detecting Brute-Force and Dictionary attacks
Date: Fri, 20 Oct 2006 22:21:44 +0200 

On 19-okt-2006, at 19:42, Cor Gest wrote:


Some entity AKA "Shashi Kanth Boddula" <shashi.boddula@oracle.com>
 wrote this mindboggling stuff, while thinking about the OS-BBQ.

(selectively-snipped-or-not-p) 
Hi All,

I am looking for a good tool to detect brute-force and dictionary attacks on user accounts on a Linux system . The tool should also have the intelligence to differntiate between user mistakes and actual brute-force/dictionary attacks and reduce the false positives. SuSE/RedHat included security tools are not helping in this case .

Please , anyone knows any third party security tool or any opensource security tool which solves my problem ? 

A basic is allready in the  system in the config of /etc/login.defs
login_delay 'nn sec' and max_retry 'nn' and log the fails.
A delay of 5 minutes after 2 failed is annoying enoug to most.

But how do you want to differentiate between "usert" and "uiser" ,
wich can be honest typoos or part of the dictionary , since dicts
trive on those 'typoos'.


I think the OP would like to detect common attacks like the ssh worms
running around in the wild. Maybe an oracle machine, no not a machine
running oracle,  should be available for dynamic locations.

I would suggest to log to a script before it gets written to the syslog. Within
the script (or daemon) it could be detected how fast a user is trying to log
on:


Oct 15 13:40:14 xxxxxi sshd[4885]: Could not reverse map address 200.x.x.x.
Oct 15 13:40:17 xxxxxi sshd[4887]: Could not reverse map address 200.x.x.x.
Oct 15 13:40:18 xxxxxi sshd[4889]: Could not reverse map address 200.x.x.x.
Oct 15 13:40:20 xxxxxi sshd[4891]: Could not reverse map address 200.x.x.x.
Oct 15 13:40:21 xxxxxi sshd[4893]: Could not reverse map address 200.x.x.x.
Oct 15 13:40:23 xxxxxi sshd[4898]: Could not reverse map address 200.x.x.x.

Any user that would type this fast would need to get a bonus or should be banned,
that could be arranged by the daemon/script.

It is nice to block these users on a firewall since they take up unwanted space
in your /var/adm/auth.log or simular logs...

Hans

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Detecting Brute-Force and Dictionary attacks, Master Control Program
Next by Date:  Re: Detecting Brute-Force and Dictionary attacks, vachanta
Previous by Thread:  Re: Detecting Brute-Force and Dictionary attacks, Cor Gest
Next by Thread:  Re: Detecting Brute-Force and Dictionary attacks, Alec Muffett
Indexes:  [Date] [Thread] [Top] [All Lists]