Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Linux
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Detecting Brute-Force and Dictionary attacks

from [Greg Metcalfe] Network Security [Permanent Link]
Subject: Re: Detecting Brute-Force and Dictionary attacks
Date: Fri, 20 Oct 2006 10:25:16 -0700 
On Wednesday 18 October 2006 03:01, Shashi Kanth Boddula wrote:

Hi All, Â

I am looking for a good tool to detect brute-force and dictionary attacks
on user accounts on a Linux system . The tool should also have the
intelligence to differntiate between user mistakes and actual
brute-force/dictionary attacks and reduce the false positives. SuSE/RedHat
included security tools are not helping in this case .


You're going to need a modified login(1) which will record the passwords used. 
An obvious security risk, particularly as this binary is far more likely to 
be part of an attacker's kit. You'll definitely want to examine the source, 
and test it on a lab machine with at least a HIDS installed!

Then you're going to have to decide on a mechanism for detecting an actual 
dictionary attack, and periodically parse the resulting file. A simpler 
solution may lie in just counting failed logins per username.

Even that is complicated by SuSE (at least 10.0, which is the only version I 
have running here, has a broken lastb. The first time I ran it, it gave the 
standard message about /var/log/btmp possibly having been removed. So I did 
the following:

touch /var/log/btmp
chown root:tty /var/log/btmp
chmod 600 /var/log/btmp /var/log/btmp

Running lastb then gave me:

# lastbfermi:~ # lastb

btmp begins Fri Oct 20 09:49:00 2006

But it still doesn't record failed logins. You might try playing with 
ownership and permissions. I simply set it up to match a Fedora Core 4 
machine as closely as possible, given that under SuSE ownership is root:tty, 
and Fedora assigns root:utmp.

lastb was also broken from Red Hat 7 (at least) until, if my old system 
fingerprinting notes are reliable, Fedora Core 3. I won't have a RHEL server 
available until probably next week, so I can't any results for that.


Please , anyone knows any third party security tool or any opensource
security tool which solves my problem ?


I very much doubt such a thing exists in a generic form--it's just such an 
obvious 'Bad Guy' sort of thing. I believe it does exist as a modified sshd, 
though, as part of a Honeypot project.

Regards,
 
Greg Metcalfe
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Detecting Brute-Force and Dictionary attacks, Manuel Arostegui Ramirez
Next by Date:  Re: Detecting Brute-Force and Dictionary attacks, rowland onobrauche
Previous by Thread:  Re: Detecting Brute-Force and Dictionary attacks, Rob Creely
Next by Thread:  Re: Detecting Brute-Force and Dictionary attacks, rowland onobrauche
Indexes:  [Date] [Thread] [Top] [All Lists]