Welcome to WebmasterWorld Guest from 18.207.238.169

Forum Moderators: bakedjake

Message Too Old, No Replies

Best Defense Against Dictionary Attacks

New to Unix Apache

     
3:37 pm on Apr 5, 2006 (gmt 0)

Junior Member

10+ Year Member

joined:Oct 21, 2003
posts:158
votes: 0


I am beginning to receive frequent dictionary attacks on a box I host. I am new to Unix and would like to hear the best defense against theses types of attacks.

Obviously I would begin by blocking the IP. Should I create a script to temporarily block an ip for say 24 hours if an attempt to login fails three times from the same IP.

What do you guys/gals do in these cases?

Thank you for replies.

7:24 pm on Apr 10, 2006 (gmt 0)

New User

10+ Year Member

joined:Mar 30, 2006
posts:12
votes: 0


Im using snort-inline to inject fw rules based on IDS / IPS signatures... you may also be interested in it as its a real time solution...

You could also use iptables to drop an IP block after a certain IP or TTL attempt has happened, set your pw's to some insane 20 char alph / num passwd...

What service is being attacked? SSH? FTP? HTTP?

DenyHosts is what I am using for SSH...

For local shell access you could look into port knocking as a deterrent...

Daemon Shield may be your best friends here, it will monitor syslog for too many login attempts...

OF COURSE disable root login ability.

7:30 pm on Apr 10, 2006 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Sept 25, 2004
posts:2156
votes: 0


Hi,

1a) Obviously make sure that your passwords are good and enforce password creation rules.

1b) Use unusual account names if you can.

1c) Forbid direct root logins if you can

2) If you have anything which limits the number of attempts per unit time on any one account or from any one remote address then turn it on. SSH has some of this out of the box for example.

3) If you can limit which accounts have remote login access at all, then do. Root should not have direct remote access, ie an attacker has to break into at least 2 accounts rather than 1 to do anything really bad.

4) Insist on private/public keys for remote access, eg with SSH, if possible, which more-or-less eliminates the whole notion of a dictionary attack. I do that for most of my remote servers.

YMMV, etc...

Rgds

Damon

2:47 pm on Apr 11, 2006 (gmt 0)

Junior Member

10+ Year Member

joined:Oct 21, 2003
posts:158
votes: 0


Thank you for the replies I will look into all of these suggestions.

Already in place are good passwords, weird user names and frequent changing (30days) of passwords.

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members