If ssh is set to log, the attack will be very obvious. A quick cat /var/log/message | grep "ssh" will make it very clear, although you will need more going forward. I'm getting killed by attacks that are virtually running all day long now. My QUESTION: why doesn't the following iptables approach work? ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: SET name: SSH side: source LOG tcp -- anywhere anywhere tcp dpt:ssh recent: UPDATE seconds: 60 hit_count: 4 TTL-Match name: SSH side: source LOG level warning prefix `SSH_brute_force ' DROP tcp -- anywhere anywhere tcp dpt:ssh recent: UPDATE seconds: 60 hit_count: 4 TTL-Match name: SSH side: source Sorry for the formatting, it's really just 3 commands and iptables should drop packets from the offending attacker, but it does not. I want an iptables solution to this.
Hi,
You can start by checking the log files. I do not know if this can help but in my particular case I installed python and I run Denyhosts as a deamon , and that authomates the tasks of detecting and preventing attacks. DenyHost checks the log files and if there is an attempt to brute force it place a line is /etc/hosts.deny. So some services running under tcpwrap can be very simply "controlled" in this manner. Also of great importance is to use in the sshd config the directives AllowUsers and DenyUsers. The "usual" targets are the very known system users like wwwrun, tomcat, root and so on. Those should be prevented from a external log in. But of course your solution depends a bit on what is the purpose of that precise brute force monitoring ... and exact service you are monitoring ...
Regards, Pedro Coelho
--- Shashi Kanth Boddula <shashi.boddula@oracle.com> wrote:
Hi All,
I am looking for a good tool to detect brute-force and dictionary attacks on user accounts on a Linux system . The tool should also have the intelligence to differntiate between user mistakes and actual brute-force/dictionary attacks and reduce the false positives. SLES9/SLES10 included security tools are not helping in this case . The seccheck package functionality also not matching with my requirement.
Please , anyone knows any third party security tool or any opensource security tool which solves my problem ?
Thanks & Regards, Shashi Kanth,CISSP
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here