You are not logged in.

#1 2013-03-20 06:30:29

jrussell
Member
From: Cape Town, South Africa
Registered: 2012-08-16
Posts: 510

[solved] Mitigate/prevent local brute force attack

Hi, recently someone got into my server by logging on as a standard user which was not too serious, but I only noticed this because I got suspicious when I saw that user running httpd. So in the bash_history file for that user, I saw that they downloaded a brute force program and were using cron to schedule this program, I didn't have cronie running so that was fine.

But my question is, how can I prevent someone from just trying su $username a million times locally? I read up in a wiki somewhere how to ban a user for X minutes after Y failed login attempts with Pam, but su is not effected by this, any help?

So far I have that user ban inplace (I think the conf is in /etc/pam/system-login), plus some iptables rules to prevent ssh brute force attacks.

Thanks

Last edited by jrussell (2013-05-12 18:43:07)


bitcoin: 1G62YGRFkMDwhGr5T5YGovfsxLx44eZo7U

Offline

#2 2013-03-20 06:40:55

progandy
Member
Registered: 2012-05-17
Posts: 2,151

Re: [solved] Mitigate/prevent local brute force attack

su uses the settings from /etc/pam.d/su. You'll have to add the references to your security modules there.
PS: You should at least add the login delay for su, su-l and sudo.

Last edited by progandy (2013-03-20 06:48:10)

Offline

#3 2013-03-20 09:29:44

jrussell
Member
From: Cape Town, South Africa
Registered: 2012-08-16
Posts: 510

Re: [solved] Mitigate/prevent local brute force attack

progandy wrote:

su uses the settings from /etc/pam.d/su. You'll have to add the references to your security modules there.
PS: You should at least add the login delay for su, su-l and sudo.

Thanks, I still cant find anything which shows me how to do it, will continue to google


bitcoin: 1G62YGRFkMDwhGr5T5YGovfsxLx44eZo7U

Offline

#4 2013-03-20 10:10:15

progandy
Member
Registered: 2012-05-17
Posts: 2,151

Re: [solved] Mitigate/prevent local brute force attack

You could add pam_warn (log access), pam_faildelay (longer delay after failure), pam_abl (from AUR, for brute force block)
http://www.ducea.com/2006/06/29/using-p … e-attacks/

Offline

#5 2013-05-12 18:42:56

jrussell
Member
From: Cape Town, South Africa
Registered: 2012-08-16
Posts: 510

Re: [solved] Mitigate/prevent local brute force attack

Found a solution, I edited the wiki:
Just created some iptable rules to watch ssh port fro new connections from IPs.
https://wiki.archlinux.org/index.php/Si … ce_attacks

Last edited by jrussell (2013-05-12 18:43:38)


bitcoin: 1G62YGRFkMDwhGr5T5YGovfsxLx44eZo7U

Offline

Board footer

Powered by FluxBB