>> I want to detect brute-force password hacking attacks - thus if there >> are too many failed login attempts for a SIP account I want to "lock" >> this account. > >> Does somebody have any ideas how this could be implemented?
The usual method (I think) is to monitor the log files, and detect repeated patterns of suspicious actions occurring within a given period of time. A program such as logwatch (www.logwatch.org) might work, or you could write something in Perl. If you're logging via syslog, you can have syslog write new messages into a pipe as well as into a log file, and thus parse and evaluate new messages immediately with no buffering delay. > Bad plan? Could quite easily turn into a DoS. If the reaction is to lock the account, I agree, it might leave you prone to a denial-of-service attack. A better way would be to use iptables to start dropping packets from the IP address(es) involved in the attack... this will still allow the legitimate user of the account to access it. The block-IP-address-only method won't defend effectively against a "slow scan" botnet-based crack attempt, where each password-guessing attempt comes from a different IP address in the botnet. A lot of current SSH password-guess probes are of this sort. I don't think there's any terribly good defense against this except to select *good* passwords - e.g. 20 or more alphanumeric characters selected by a good random-number generator. To be pro-active, I'd suggest that you acquire a password quality-evaluation program (the Perl Data::Password class from CPAN might be a useful starting point) and check the password quality of all of your SIP accounts. Require a password change for any password of unacceptably low quality. _______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
