[RndTbl] Intrusion detection

John Lange john.lange at open-it.ca
Thu May 12 15:20:24 CDT 2005

Thanks Sean.

Surprising how few tools there are for this purpose.

pam_tally is a start but not really the full solution I was expecting to

The theory is simply that once you see suspicious activity of any kind
from an IP then there is a good chance that IP is going to scan for
other holes as well so you'd want to shut them down early.

Of course any automatic firewall based on attack signatures might then
be subject to denial of service because of IP spoofing so perhaps thats
why it isn't more common place.

John Lange
President OpenIT ltd. www.Open-IT.ca (204) 885 0872
VoIP, Web services, Linux Consulting, Server Co-Location

On Thu, 2005-05-12 at 12:13 -0500, Sean A. Walberg wrote:
> On Thu, 12 May 2005, Gilles Detillieux wrote:
> > It mentions pam_abl, which I had happened across just last week, but
> > haven't tried out yet.  It's available here:
> pam_tally works well to stop brute force attacks against users.  It locks 
> accounts out after N attempts, rather than the firewall approach.  The 
> benefit, though, is that it's part of the standard RedHat/Fedora install.
> Sean

More information about the Roundtable mailing list