Re: [psad-discuss] Brute force attacks and statistics
Brought to you by:
mbr
Menu
▾
▴
Re: [psad-discuss] Brute force attacks and statistics
|
From: Franck J. <fra...@dt...> - 2009-03-22 21:23:21
|
Eli Wapniarski wrote: > On Sunday 22 March 2009 21:15:47 Franck Joncourt wrote: >> Hi, Hi, >>> With the brute force attack detectors, you can set up a whitelist >>> not blocking IPs that you trust. >> Psad already handles that through the auto_dl file. > > An attempt to login, successful or otherwise, to your ftp server is > legitimate traffic. Psad, from my understanding is not designed to > handle brute force attempts to guess passwords. Psad can be > configured to allow certain types of traffic normally considered a > probe (ie ping, trying to access a closed port, etc). Even so, the > number of, lets say pings to a server, would be configured relatively > high. Brute force guesses of passwords should be configured > relatively low. There is a big difference between the types of > traffic. And should be handled differently. That is why I use psad from the command line :) Right now, I have setup fail2ban to run psad when a brute force attack is detected. I use the AUTO_IDS feature automaticaly through external scripts. psad --fw-block-ip a.b.c.d then psad removes this ip from my ruleset when the timeout setup in psad.conf expires. Adding an entry in the auto_dl file with a danger level of 0 for trusted ips, make it impossible to add a DROP rule to my ruleset against these ips. Using psad this way, I am also able to get email alerts against brute force attacks. Should I avoid working this way? Regards, -- Franck Joncourt http://debian.org - http://smhteam.info/wiki/ |
