LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-18-2006, 02:05 AM   #16
Super7
Member
 
Registered: Mar 2006
Location: Oakville
Distribution: Mandrake
Posts: 37

Original Poster
Rep: Reputation: 15

I was working on installing snort, I am kind of confused on some of its features. If anyone knows how to install snort to report brute force attacks and add the user to hosts.deny please give me a heads up. Please and thanks.
 
Old 07-18-2006, 06:13 AM   #17
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
I was working on installing snort,
Does that mean you did all of the rest of installing, configuring and setting up ACL's already?


If anyone knows how to install snort to report brute force attacks and add the user to hosts.deny please give me a heads up.
Brute force means repeated connections from one or more IP addresses. Snort can keep track of those using threshold and tracking. Here's an event thresholding example from the Snort 2.6.0 manual ] logging 1 event every 60 secs if at least 10 events are found:

Code:
alert tcp $external_net any -> $http_servers $http_ports \
    (msg:"web-misc robots.txt access"; flow:to_server, established; \
    uricontent:"/robots.txt"; nocase; reference:nessus,10302; \
    classtype:web-application-activity; threshold: type both , track \
    by_dst, count 10 , seconds 60 ; sid:1000852; rev:1;)
This gets you the logging part. Snort is an IDS and can't take action itself (yes it can but I'm not getting into that), for that you add a 3rd party app. BTW, hosts.deny is not the most efficient place for restricting access. If you for instance use Guardian then you can have it add temporary firewall rules.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
where can I get rootkit ?? iamthewind Linux - Security 21 05-04-2008 02:57 PM
Debian/Asterisk box eth0 going promisc odd times, rootkit scanned clean... JakeX Linux - Security 10 04-11-2006 02:40 PM
rootkit? basilogics Linux - Software 2 08-19-2005 09:16 AM
Possible rootkit? bleunuit Linux - Security 4 05-18-2005 04:21 PM
rootkit? linuxtesting2 Linux - Security 3 12-06-2004 09:43 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:10 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration