brute force crack on root password using 'su'

[pinoy]

how can you tell if a valid user is trying to brute force crack root's password using 'su'? please let me know of unusual user activities, log files to look at, can IDS spot this?, etc. etc.

If you say "a PID that seems to never end" is a sure sign, well, is it ethical for me to peek at the user's file to make sure that it is a brute forcer?

can anyone suggest a good brute force script using 'su'? Is it possible in the first place? Please don't think that this is a lame question. No flames please. I just want to try it on our network before some valid user with a lot of spare time starts thinking like I do. Others may learn from this post too. thanks.

[smirc]

how can you tell if a valid user is trying to brute force crack root's password using 'su'? please let me know of unusual user activities, log files to look at, can IDS spot this?, etc. etc.

It depends on the version of unix but most of them log bad su's by default as far as I know. You're log files would get very big very quick if someone was actually trying to do a brute force attack via su. This would be pretty stupid though. Usually crackers try and get a copy of the /etc/passwd or /ect/shadow file and crack it on another box.

If you say "a PID that seems to never end" is a sure sign, well, is it ethical for me to peek at the user's file to make sure that it is a brute forcer?

Long running processes could be anything. You'd have to check out the program to be sure of what it is. Most things ending in "d" are daemon's of some sort. You'd expect these process to be running for a long time. But if you see a process called "cracker" it's time to start worrying. But surely no cracker would be that dumb, would they?

can anyone suggest a good brute force script using 'su'? Is it possible in the first place? Please don't think that this is a lame question. No flames please.

Just write a script that goes through all the permutations of a given sequence of characters, or a list of common passwords and run each one against the su program.

I just want to try it on our network before some valid user with a lot of spare time starts thinking like I do. Others may learn from this post too. thanks.

This will take a while depending on the strength of your password. Note that su has an auto delay for bad logins to deliberately slow down this process. So your cracker would have to have a lot of spare time (decades maybe) .

So yes it's possible, but it's extremely unlikely that a cracker would be stupid enough or patient enough to try this sort of crack. It just takes too long.

[sharkyt2t]

can anyone suggest a good brute force script using 'su'? Is it possible in the first place?

If your worried about a user doing a brute force there is a way to ensure whoever tries wastes their time,
install and configure sudo so only certain people can execute the su command
then once sudo is configured properly (man sudo for information on configuring sudo) do this:

chmod u-s /bin/su

ls -l /bin/su

So now even if an attacker cracks your root password he won't be able to su to root,

I got this tip off the Linux Mandrake sight which has a great article on using sudo,
visit www.mandrakesecure.net to read it.