Detect and Handle Failed Logins through SSH
To prevent brute force-based break-in attacks into Unix systems, for Unix provides detection of the failed user logons on a host and revocation of the user ID.
capamsc141
To prevent brute force-based break-in attacks into UNIX systems,
Privileged Access Manager
for UNIX provides detection of the failed user logons on a host and revocation of the user ID. The module facilitates revocation and optional subsequent re-enablement of a revoked user ID.
serevu
This topic describes how to configure
Privileged Access Manager
to detect and handle failed logins that occurred on SSH. This topic also helps you understand the data flow between failed logins through SSH, PAM (Pluggable Authentication Modules), seosd
, and serevu
.Follow these steps:
- Configure themodule to detect failed logins occurred through applications that use PAM. PAM is the default authentication subsystem on UNIX-flavors.serevuTo allowto work with PAM, set the following token in the seos.ini configuration file:serevu[pam_seos]serevu_use_pam_seos = yes
- To configureto use PAM for authentication, set the following token in /etc/opt/ssh/sshd_config:sshdUsePAM yesThis configuration allows the daemonsshdto signal the PAM system that a failed login occurred.
- Add the following line to /etc/pam.conf to ensurePrivileged Access Manageris set up to intercept PAM signals coming from sshd:sshd auth optional /usr/lib/security/pam_seos.sl
- Ensure that the localseosdbholds aloginapplrecord for thesshd. Add the following lines in Selang:PAMSC> nr loginappl SSHD loginpath(/usr/sbin/sshd) loginseq(SGRP SUID) defaccess(x)You can now find any failed logins done on an SSH client in the file: /opt/CA/PAMSC/log/pam_seos_failed_logins.logWith this configuration done, the data flows as follows:
- sshdsignals PAM that a failed login occurred.
- Privileged Access Managerintercepts this PAM signal and writes information into the pam_seos_failed_logins.log.
- serevuperiodically scans that log and acts accordingly.
- The number of failed logins each user is entitled to before being revoked can be set in seos.ini.[serevu]def_fail_count = 3
- To startupserevuautomatically uponseload, add the following code to seos.ini:[daemons]<>serevu = yes