Mailinglist Archive: opensuse-security (69 mails)

< Previous Next >
Re: [suse-security] Detecting Brute-Force and Dictionary attacks
  • From: "David C. Benham" <dcb@xxxxxxxxxxx>
  • Date: Tue, 31 Oct 2006 11:51:11 -0800 (PST)
  • Message-id: <1066.66.127.126.42.1162324271.squirrel@xxxxxxxxxxxxx>
If ssh is set to log, the attack will be very obvious. A quick cat
/var/log/message | grep "ssh" will make it very clear, although you will
need more going forward.

I'm getting killed by attacks that are virtually running all day long now.
My QUESTION: why doesn't the following iptables approach work?

ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
state NEW recent: SET name: SSH side: source

LOG tcp -- anywhere anywhere tcp dpt:ssh
recent: UPDATE seconds: 60 hit_count: 4 TTL-Match name: SSH side: source
LOG level warning prefix `SSH_brute_force '

DROP tcp -- anywhere anywhere tcp dpt:ssh
recent: UPDATE seconds: 60 hit_count: 4 TTL-Match name: SSH side: source

Sorry for the formatting, it's really just 3 commands and iptables should
drop packets from the offending attacker, but it does not. I want an
iptables solution to this.

> Hi,
>
> You can start by checking the log files.
> I do not know if this can help but in my particular
> case I installed python and I run Denyhosts as a
> deamon , and that authomates the tasks of detecting
> and preventing attacks.
> DenyHost checks the log files and if there is an
> attempt to brute force it place a line is
> /etc/hosts.deny.
> So some services running under tcpwrap can be very
> simply "controlled" in this manner.
> Also of great importance is to use in the sshd config
> the directives AllowUsers and DenyUsers.
> The "usual" targets are the very known system users
> like wwwrun, tomcat, root and so on.
> Those should be prevented from a external log in.
> But of course your solution depends a bit on what is
> the purpose of that precise brute force monitoring ...
> and exact service you are monitoring ...
>
> Regards,
> Pedro Coelho
>
> --- Shashi Kanth Boddula <shashi.boddula@xxxxxxxxxx>
> wrote:
>
>> Hi All,
>>
>> I am looking for a good tool to detect brute-force
>> and dictionary attacks on user accounts on a Linux
>> system . The tool should also have the intelligence
>> to differntiate between user mistakes and actual
>> brute-force/dictionary attacks and reduce the false
>> positives. SLES9/SLES10 included security tools are
>> not helping in this case . The seccheck package
>> functionality also not matching with my requirement.
>>
>>
>> Please , anyone knows any third party security tool
>> or any opensource security tool which solves my
>> problem ?
>>
>>
>> Thanks & Regards,
>> Shashi Kanth,CISSP
>>
>>
>> --
>> Check the headers for your unsubscription address
>> For additional commands, e-mail:
>> suse-security-help@xxxxxxxx
>> Security-related bug reports go to security@xxxxxxx,
>> not here
>>
>>
>
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
>


< Previous Next >