Do you think you have been cracked? Someone has been trying to guess usernames and passwords for days on end. How do you know if they have? How do you find out who they are?
What can you do about it?
First thing is detecting the attack, how can you find a Mal if you don't know they are there?
Sings of an attack: 1 Log files. You have to have something watching your log files to see if there is an attack. And that something better not be human as humans don't like boring jiobs and find ways of not doing them.
You need an IDS (Intrusion Detection System) that reads all of your logs and tells you when suspicious activity happens.
How? Well if someone tries to login for a number of times they either forgot their login credentials (I do all the time, early signs of Alzheimer's?) or they are trying to break in (crack your system, hence cracker). If they are trying to break in then your IDS will catch them and in the case of system or network login and also email or whatever you can set on most systems a maximum number of login attempts before you time out that username for a specific period of time after a number of tries (usually 3 but you can set this.)
If the user then starts using other names and trying again then after a number of different names tried unsuccessfully from that location then block the IP for a while. This can all be done with your IDS if you want it to; and have it alert you and you can then watch as the attack unfolds or you can do something about it.
So you now have an crack attempt; if you want to find out who the cracker is then this is where a sniffer comes in handy. You can watch all packets to and from the system being attacked and get the information you need to start finding out who the cracker is.
What you might want to do about it is up to you. And most likely the subject of a future post.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment