I was working on installing snort,
Does that mean you did all of the rest of installing, configuring and setting up ACL's already?
If anyone knows how to install snort to report brute force attacks and add the user to hosts.deny please give me a heads up.
Brute force means repeated connections from one or more IP addresses. Snort can keep track of those using threshold and tracking. Here's an event thresholding example from the
Snort 2.6.0 manual ] logging 1 event every 60 secs if at least 10 events are found:
Code:
alert tcp $external_net any -> $http_servers $http_ports \
(msg:"web-misc robots.txt access"; flow:to_server, established; \
uricontent:"/robots.txt"; nocase; reference:nessus,10302; \
classtype:web-application-activity; threshold: type both , track \
by_dst, count 10 , seconds 60 ; sid:1000852; rev:1;)
This gets you the logging part. Snort is an IDS and can't take action itself (yes it can but I'm not getting into that), for that you add a 3rd party app. BTW, hosts.deny is not the most efficient place for restricting access. If you for instance use Guardian then you can have it add temporary firewall rules.