How to configure detection and handling of failed logins through SSH.

Document ID : KB000027529
Last Modified Date : 14/02/2018
Show Technical Document Details

Summary: 

In order to prevent brute force based break in attacks into Unix systems, CA Privileged Identity Manager for Unix provides detection of failed user logons to that host and is able to revoke that userID, accordingly.

CA Privileged Identity Manager provides the module 'serevu' which facilitates the revocation and optional subsequent re-enablement of a revoked userID.

This document describes how to configure CA Privileged Identity Manager to detect and handle failed logins occurred on SSH.

This document should help you to understand the dataflow between failed logins through SSH, PAM, seosd and serevu.

 

Instructions: 

Please note that in recent PIM versions the install_base script creates the necessary configurations while applying Baseline Security Pack Rules.

The module 'serevu' can be configured to detect failed logons occurring through applications which utilize PAM.

PAM (Pluggable Authentication Modules) is the default authentication subsystem on nowadays Unix-flavors.

To allow the 'serevu' to work with PAM the following token has to be set in seos.ini configuration file:

     [pam_seos]

     serevu_use_pam_seos = yes

In order to configure sshd to also utilize PAM for authentication, set the following in /etc/opt/ssh/sshd_config:

     UsePAM yes

This will allow the daemon sshd to signal the PAM system that a failed login occurred.

Next we will need to make sure that CA Privileged Identity Manager is setup to intercept PAM signals coming from sshd. This is done by adding the following line to /etc/pam.conf

     sshd auth optional /usr/lib/security/pam_seos.sl

Also ensure that the local seosdb holds a loginappl record for the sshd.
You may need to add in selang:

     AC> nr loginappl SSHD loginpath(/usr/sbin/sshd) \

     > loginseq(SGRP SUID) defaccess(x)

You now should find any failed logins done on a ssh client in the file: /opt/CA/AccessControl/log/pam_seos_failed_logins.log

To summarize the data flow:

  • sshd signals PAM that a failed login occurred
  • CA Privileged Identity Manager intercepts this PAM signal and writes information into the pam_seos_failed_logins.log 
  • serevu periodically scans that log and acts accordingly

The number of failed logins each user is entitled to before being revoked can be set in seos.ini

     [serevu]

     def_fail_count = 3

To startup serevu automatically upon seload add the following to seos.ini

     [daemons]<>

     serevu = yes

If all is going well, as a sample you could find the following information in the syslog (sample user used: 'test1'):

     Jul  5 15:15:32 HPUX9000 sshd[18058]: Failed keyboard-interactive/pam for test1 from

     130.119.109.47 port 1615 ssh2

     Jul  5 15:15:57 HPUX9000  above message repeats 3 times

     Jul  5 15:15:57 HPUX9000 serevu[17997]: serevu: User test1 Revoked. (3 failed password attempts)

     ...

     Jul  5 15:22:02 HPUX9000 serevu[17997]: serevu: User test1 re-enabled

As a sample in seaudit you would find the following:

     05 Jul 2006 15:15:35 A LOGIN        test1       17  8  130.119.109.47       sshd

     ...

     05 Jul 2006 15:15:56 A LOGIN        test1        0  5  130.119.109.47       serevu

     ...

     05 Jul 2006 15:15:57 I LOGINDISABLE test1        0  5  130.119.109.47       serevu

     ...

     05 Jul 2006 15:22:02 E LOGINENABLE  test1        0  5  130.119.109.47       serevu