Templates and Alerts

 

 

 

 

 

Repeated Failed Logins Template

Table A-23

Failed Login Attempts Alert Properties (Continued) (Continued)

 

 

 

 

 

 

 

 

Response

Alert

Alert

 

 

 

 

Program

Field

Alert Value/Format

 

Description

 

Field

 

 

Argument

Type

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

argv[12]

Device

String

<pty device name>

 

Name of pty device

 

 

 

 

 

 

associated with failed

 

 

 

 

 

 

login attempt.

 

 

 

 

 

 

 

 

argv[13]

Hostname

String

<remote hostname>

 

Name of remote host

 

 

 

 

 

 

from which login was

 

 

 

 

 

 

attempted.

 

 

 

 

 

 

 

 

argv[14]

IP

String

<A.B.C.D> for IPv4 addresses

 

IP address of remote

 

 

Address

 

"A:B:C:D:..." for IPv6 addresses

 

host from which login

 

 

 

 

 

 

was attempted.

 

 

 

 

 

 

Limitations

• The template only detects failed logins that are logged to btmp[s].

The template does not detect failed secure ftp (sftp) logins because the ssh daemon logs failed sftp logins using syslog(3C) instead of logging them to btmp on 11i and btmps on 11i v2.

The template does not detect failed secure shell (ssh) logins by ssh daemons that do not log failed ssh logins to btmp on 11i version 1.0 and btmps on 11i version 2.0. SSH daemons should be configured with the "UsePAM" configuration value

set to "no" in order to log failed attempts to btmp(s).

Appendix A

175

Page 187
Image 187
HP Host Intrusion Detection System (HIDS) manual Appendix a 175