Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide: HP-UX 11i v1, HP-UX 11i v2 and HP-UX 11i v3 > Appendix A Templates and Alerts

Repeated Failed Logins Template
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

The vulnerability addressed by this template

An attacker can gain access to a system by repeatedly attempting to guess the password of an account.

How this template addresses the vulnerability

The Repeated Failed Login template monitors for repeated failed attempts to log in to the system. Specifically, this template monitors btmp on HP-UX 11i v1 and btmps on HP-UX 11i v2 and HP-UX 11i v3 for a given number of failed login attempts within a specified time span.

  • Failed remote logins

  • Failed ftp logins (for HP-UX 11i v2 and HP-UX 11i v3 only)

It monitors for the following events:

If an unusual number of failed attempts occur, this template generates an alert.

How this template is configured

Table A-22 lists the configurable properties that this template supports.

Table A-22 Failed Logins Template Properties

NameTypeDefault Value
max_failed_login

VIII

2

fail_interval

VI10 seconds
warning_interval

VI

30 seconds

priv_user_list

III

root │ ids

 

Properties

The configurable properties are listed as follows:

max_failed_login

The number of failed attempts to log in as the same user.

fail_interval

The time interval over which the failed login attempts must occur to generate an alert.

warning_interval

The minimum time that must elapse before an identical failed login alert is generated.

The default settings mean that more than two login failures for a particular target user within 10 seconds cause an alert to be generated, and duplicate alerts that occur within 30 seconds are not reported. It is not an uncommon occurrence for a user to mistype a password when attempting to log in. By modifying the values, you can customize this template to local user behavior.

priv_user_list

A high severity alert is generated when a user with a user ID or user name in this list fails to login.

Alerts generated by this template

Failed Login Attempts

Table A-23 lists the alert properties this template generates and forwards to a response program when repeated failed logins are detected.

Table A-23 Failed Login Attempts Alert Properties

Response Program Argument

Alert FieldAlert Field TypeAlert Value/FormatDescription

argv[1]

Template code

Integer

8

Unique code assigned to template

argv[2]

Version

Integer3Template version

argv[3]

Severity

Integer

2 for users listed in the priv_user_list property;

3 for all other users.

Alert severity

argv[4]

UTC Time

Integer

<secs>

UTC time in number of seconds since the epoch when <max_failed_login> number of failed logins were detected for a particular target login account

argv[5]

Attacker

String

<fully qualified host name> <IP Address>

Name or IP address of the host from which the user logged in or out.

argv[6]

Target

String

<username>

Name of the user who logged in or out.

argv[7]

Summary

String

Failed login attempts

Alert summary

argv[8]

Details

String

More than <max_failed_login> failed logins by user <username> (REMOTE: <fully qualified host name> <IP address>)

Detailed alert description

argv[9]

Event

String

Failed login

The event that triggered the alert.

argv[10]

Flag

Integer

1

Indicates a failed login alert versus a failed su alert

argv[11]

User

String

<username>

Target login name that a user was attempting to log in as

argv[12]

Device

String

<pty device name>

Name of pty device associated with failed login attempt

argv[13]

Hostname

String

<remote hostname>

Name of remote host from which login was attempted

argv[14]

IP Address

String

<A.B.C.D> for IPv4 addresses A:B:C:D:... for IPv6 addresses

NOTE: Although HIDS is not supported on IPv6–only enabled systems, the failed login templates can recognize and display the following types of addresses in the alerts:

  • IPv4 address

  • IPv4 address-mapped-IPv6 address

  • IPv6 address

IP address of remote host from which login was attempted

+

 

Limitations

The Repeated Failed Logins template has the following limitations:

  • The template only detects failed logins that are logged to btmp.

    • The template does not detect failed secure ftp (sftp) logins because the ssh daemon logs failed sftp logins using syslog( 3C) instead of logging them to btmp on HP–UX 11i v1 and btmps on HP–UX 11i v2 and HP-UX 11i v3.

    • The template does not detect failed secure shell (ssh) logins by ssh daemons that do not log failed ssh logins to btmp on HP–UX 11i v1 and btmp(s) on HP–UX 11i v2 and HP-UX 11i v3. To enable Secure Shell to log failed logins and logouts to wtmp(s) or btmp(s), you must set the permissions of the wtmp(s) or btmp(s) file to 600.

    • On HP–UX 11i v1, failed ftp logins are only detected when WU-FTPD 2.6.1 (available on http://software.hp.com) is installed. Previous versions of ftp on HP–UX 11iv1 do not log failed attempts to btmp.



Login/Logout Template
  		 


Repeated Failed su Commands Template  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© Hewlett-Packard Development Company, L.P.