Re: [psad-discuss] Brute force attacks and statistics

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Sunday 22 March 2009 23:22:55 Franck Joncourt wrote:
> Eli Wapniarski wrote:
> > On Sunday 22 March 2009 21:15:47 Franck Joncourt wrote:
> >> Hi,
> 
> Hi,
> 
> >>> With the brute force attack detectors, you can set up a whitelist
> >>> not blocking IPs that you trust.
> 
> >> Psad already handles that through the auto_dl file.
> > 
> > An attempt to login, successful or otherwise, to your ftp server is
> > legitimate traffic. Psad, from my understanding is not designed to
> > handle brute force attempts to guess passwords. Psad can be
> > configured to allow certain types of traffic normally considered a
> > probe (ie ping, trying to access a closed port, etc). Even so, the
> > number of, lets say pings to a server, would be configured relatively
> > high. Brute force guesses of passwords should be configured
> > relatively low. There is a big difference between the types of
> > traffic. And should be handled differently.
> 
> That is why I use psad from the command line :)
> 
> Right now, I have setup fail2ban to run psad when a brute force attack
> is detected. I use the AUTO_IDS feature automaticaly through external
> scripts.
> 
> psad --fw-block-ip a.b.c.d
> 
> then psad removes this ip from my ruleset when the timeout setup in
> psad.conf expires.
> 
> Adding an entry in the auto_dl file with a danger level of 0 for trusted
> ips, make it impossible to add a DROP rule to my ruleset against these ips.
> 
> Using psad this way, I am also able to get email alerts against brute
> force attacks.
> 
> Should I avoid working this way?
> 

I just scanned the doucmentation. And I see that fail2ban is quite capable of notifiying you of its activity. So the questions are: Why would do you want to work this hard? And why would you have your computer do extra work (no matter how trivial) when you and it don't need to?

What you can do is filter your incoming email to stick PSAD alerts in one folder mail coming from fail2ban in another. You wouldn't need to keep track of the logs. These programs will do it for you. You can just monitor your email; if you want to.

Eli

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.