- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Is IPFilter able to terminate failed root login at...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-10-2014 06:56 AM
03-10-2014 06:56 AM
Is IPFilter able to terminate failed root login attempts and report out?
Looking for ways to stop the root account from being disabled from security scans and or actual attempts to gain access. Would like to use something like DenyHosts on linux where you can terminate a session after two attempts prior to the root account being disabled.
Not good to have the root account in a disabled state due to a failed attempt by an outside source. Makes far more sense to not allow something to do this to your server and stop it before it happens. Then report it out so you can research and determine who/what/why is attempting to login as the root account. Right now focuses on a audit scan which is attempting to login as root and disabling the account each time. Rather than fix the "scan" it's really telling us we have an architectural design that is flawed where as a "bad guy" I could disable your root account just by trying and maybe cuase some havoc with your environment by just getting root disabled.
Like a global solution that stops the attempt after two tries, logs the information and reports it out.
Any ideas? Thanks
Legalize Freedom
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-10-2014 09:04 AM
03-10-2014 09:04 AM
Re: Is IPFilter able to terminate failed root login attempts and report out?
I haven't verified this with HP-UX 11.31, but on older HP-UX versions at least, root has a special extra permission to log in _on the system console_ even if the root account is otherwise disabled.
And I think you're holding the wrong end of the stick: if you want to block invalid login attempts at the network level, whatever mechanism checks the validity of the login attempt must be made to feed the salient details _to IPFilter_, because IPFilter is not in the business of checking user's passwords/SSH keys/whatever. If you try to make IPFilter do the checking, then IPFilter must effectively become another copy of the thing you are trying to protect with IPfilter in the first place.
In my opinion, if a Joe Random Hacker from anywhere in the Internet can just start making root login attempts on your HP-UX server (which is probably doing something critical to your business), you're doing something wrong. The admin access to at least most of your servers should be behind a VPN or a locked-down gateway server (or two, for redundancy) which is configured so that it's able to take the pounding of the savages.
If you're talking about attacks by someone already within your own network... then the attacker is probably someone with inside knowledge, not just a generic "bad guy". But then, if you can locate the attacker, you may have other means of enforcement available: for example, you might have the security guards at your site catch the attacker and physically disconnect him/her from the network.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-10-2014 01:55 PM
03-10-2014 01:55 PM
Re: Is IPFilter able to terminate failed root login attempts and report out?
You are correct about console access and we have the account restricted for direct logins for that already.
Basically if your familiar with "linux" environments there is a "denyhosts" application that you can configure it so that any incoming connection requests for the "root" account can be disabled after two attempts, logged and information forwarded out to alert team members.
With HPUX hoping they would have something similiar either with IPfilter/HIDS or some concoction so that a process and or person (within our network as you mention) can't disable the root account simply by attempting to login through ssh (Telnet disabled of course).
Our auditors questioned this and why we allow it to happen when thier security trace after three unsuccesful attempts disabled root. It's a good question. Rather than adjust a trace to not "try" to connect as the root account...we should be implementing something that stops it in it's track after say two attempts and reports it out with details (IP/DATE/Session information).
I'll keep digging though and thanks for the reply. =)
Legalize Freedom