In order to prevent brute force based break in attacks into Unix systems, CA Privileged Identity Manager for Unix provides detection of failed user logons to that host and is able to revoke that userID, accordingly.
CA Privileged Identity Manager provides the module 'serevu' which facilitates the revocation and optional subsequent re-enablement of a revoked userID.
This document describes how to configure CA Privileged Identity Manager to detect and handle failed logins occurred on SSH.
This document should help you to understand the dataflow between failed logins through SSH, PAM, seosd and serevu.
Please note that in recent PIM versions the install_base script creates the necessary configurations while applying Baseline Security Pack Rules.
The module 'serevu' can be configured to detect failed logons occurring through applications which utilize PAM.
PAM (Pluggable Authentication Modules) is the default authentication subsystem on nowadays Unix-flavors.
To allow the 'serevu' to work with PAM the following token has to be set in seos.ini configuration file:
serevu_use_pam_seos = yes
In order to configure sshd to also utilize PAM for authentication, set the following in /etc/opt/ssh/sshd_config:
This will allow the daemon sshd to signal the PAM system that a failed login occurred.
Next we will need to make sure that CA Privileged Identity Manager is setup to intercept PAM signals coming from sshd. This is done by adding the following line to /etc/pam.conf
sshd auth optional /usr/lib/security/pam_seos.sl
Also ensure that the local seosdb holds a loginappl record for the sshd.
You may need to add in selang:
AC> nr loginappl SSHD loginpath(/usr/sbin/sshd) \
> loginseq(SGRP SUID) defaccess(x)
You now should find any failed logins done on a ssh client in the file: /opt/CA/AccessControl/log/pam_seos_failed_logins.log
To summarize the data flow:
- sshd signals PAM that a failed login occurred
- CA Privileged Identity Manager intercepts this PAM signal and writes information into the pam_seos_failed_logins.log
- serevu periodically scans that log and acts accordingly
The number of failed logins each user is entitled to before being revoked can be set in seos.ini
def_fail_count = 3
To startup serevu automatically upon seload add the following to seos.ini
serevu = yes
If all is going well, as a sample you could find the following information in the syslog (sample user used: 'test1'):
Jul 5 15:15:32 HPUX9000 sshd: Failed keyboard-interactive/pam for test1 from
220.127.116.11 port 1615 ssh2
Jul 5 15:15:57 HPUX9000 above message repeats 3 times
Jul 5 15:15:57 HPUX9000 serevu: serevu: User test1 Revoked. (3 failed password attempts)
Jul 5 15:22:02 HPUX9000 serevu: serevu: User test1 re-enabled
As a sample in seaudit you would find the following:
05 Jul 2006 15:15:35 A LOGIN test1 17 8 18.104.22.168 sshd
05 Jul 2006 15:15:56 A LOGIN test1 0 5 22.214.171.124 serevu
05 Jul 2006 15:15:57 I LOGINDISABLE test1 0 5 126.96.36.199 serevu
05 Jul 2006 15:22:02 E LOGINENABLE test1 0 5 188.8.131.52 serevu