Detect and Handle Failed Logins through SSH

To prevent brute force-based break-in attacks into Unix systems, for Unix provides detection of the failed user logons on a host and revocation of the user ID. 
capamsc141
To prevent brute force-based break-in attacks into Unix systems,
Privileged Access Manager
for Unix provides detection of the failed user logons on a host and revocation of the user ID. 
The
serevu
module facilitates revocation and optional subsequent re-enablement of a revoked user ID.  
This topic describes how to configure
Privileged Access Manager
 to detect and handle failed logins occurred on SSH. This topic also helps you understand the data flow between failed logins through SSH, PAM (Pluggable Authentication Modules),
seosd, and
serevu
.
Follow these steps:
  1. Configure the
    serevu
    module to detect failed logins occurred through applications that use PAM. PAM is the default authentication subsystem on Unix-flavors.
    To allow
    serevu
    to work with PAM, set the following token in the seos.ini configuration file:
    [pam_seos]
    serevu_use_pam_seos = yes
  2. To configure
    sshd
    to use PAM for authentication, set the following token in /etc/opt/ssh/sshd_config:
    UsePAM yes
    This configuration allows the daemon
    sshd
    to signal the PAM system that a failed login occurred.
  3. Add the following line to /etc/pam.conf to ensure
    Privileged Access Manager
     is set up to intercept PAM signals coming from sshd.
    sshd auth optional /usr/lib/security/pam_seos.sl
  4. Ensure that the local
    seosdb
    holds a
    loginappl
    record for the
    sshd
    . Add the following lines in Selang:
    PAMSC> nr loginappl SSHD loginpath(/usr/sbin/sshd) loginseq(SGRP SUID) defaccess(x)
    You can now find any failed logins done on an SSH client in the file: /opt/CA/PAMSC/log/pam_seos_failed_logins.log
    With this configuration done, the data flows as follows:
    1. sshd
      signals PAM that a failed login occurred.
    2. Privileged Access Manager
      intercepts this PAM signal and writes information into the pam_seos_failed_logins.log.
    3. serevu
      periodically scans that log and acts accordingly.
  5. The number of failed logins each user is entitled to before being revoked can be set in seos.ini.
    [serevu]
    def_fail_count = 3
  6. To startup
    serevu
    automatically upon
    seload
    , add the following code to seos.ini:
    [daemons]<>
    serevu = yes