You are not logged in.
- Topics: Active | Unanswered
#1 2013-03-20 06:30:29
- jrussell
- Member
- From: Cape Town, South Africa
- Registered: 2012-08-16
- Posts: 510
[solved] Mitigate/prevent local brute force attack
Hi, recently someone got into my server by logging on as a standard user which was not too serious, but I only noticed this because I got suspicious when I saw that user running httpd. So in the bash_history file for that user, I saw that they downloaded a brute force program and were using cron to schedule this program, I didn't have cronie running so that was fine.
But my question is, how can I prevent someone from just trying su $username a million times locally? I read up in a wiki somewhere how to ban a user for X minutes after Y failed login attempts with Pam, but su is not effected by this, any help?
So far I have that user ban inplace (I think the conf is in /etc/pam/system-login), plus some iptables rules to prevent ssh brute force attacks.
Thanks
Last edited by jrussell (2013-05-12 18:43:07)
bitcoin: 1G62YGRFkMDwhGr5T5YGovfsxLx44eZo7U
Offline
#2 2013-03-20 06:40:55
- progandy
- Member
- Registered: 2012-05-17
- Posts: 5,190
Re: [solved] Mitigate/prevent local brute force attack
su uses the settings from /etc/pam.d/su. You'll have to add the references to your security modules there.
PS: You should at least add the login delay for su, su-l and sudo.
Last edited by progandy (2013-03-20 06:48:10)
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
#3 2013-03-20 09:29:44
- jrussell
- Member
- From: Cape Town, South Africa
- Registered: 2012-08-16
- Posts: 510
Re: [solved] Mitigate/prevent local brute force attack
su uses the settings from /etc/pam.d/su. You'll have to add the references to your security modules there.
PS: You should at least add the login delay for su, su-l and sudo.
Thanks, I still cant find anything which shows me how to do it, will continue to google
bitcoin: 1G62YGRFkMDwhGr5T5YGovfsxLx44eZo7U
Offline
#4 2013-03-20 10:10:15
- progandy
- Member
- Registered: 2012-05-17
- Posts: 5,190
Re: [solved] Mitigate/prevent local brute force attack
You could add pam_warn (log access), pam_faildelay (longer delay after failure), pam_abl (from AUR, for brute force block)
http://www.ducea.com/2006/06/29/using-p … e-attacks/
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
#5 2013-05-12 18:42:56
- jrussell
- Member
- From: Cape Town, South Africa
- Registered: 2012-08-16
- Posts: 510
Re: [solved] Mitigate/prevent local brute force attack
Found a solution, I edited the wiki:
Just created some iptable rules to watch ssh port fro new connections from IPs.
https://wiki.archlinux.org/index.php/Si … ce_attacks
Last edited by jrussell (2013-05-12 18:43:38)
bitcoin: 1G62YGRFkMDwhGr5T5YGovfsxLx44eZo7U
Offline