Array Performance and Data Protection
cancel
Showing results for 
Search instead for 
Did you mean: 

Nimble Alert on Nimble-SAN / Nimble-SAN - CRITICAL: Root Login failed.

SOLVED
Go to solution
Daniel-san
Frequent Advisor

Nimble Alert on Nimble-SAN / Nimble-SAN - CRITICAL: Root Login failed.

We have a CS220 that has recently started firing off 15 of these emails in a row, for no apparent reason, twice daily.  Nothing is connected to the console, or attempting to access.  This behavior happens regardless of which controller is active. 

This behavior started after a NimbleOS update.  A subsequent update did not change the behavior.

Twice every day at 8:16AM (but no PM) and 4:08PM (but not AM), we get 15 of these at once.  The 4pm alerts seem to correlate to the approximate time that the NimbleOS update was done.

We have no other processes/backups/discernable activity that is taking place at these times.


Any ideas out there?

Thank you.

-----Original Message-----
From: nimble@yournetwork.com
Subject: Nimble Alert on Nimble-SAN / Nimble-SAN - CRITICAL: Root Login failed.

Time: Thu Mar 17 08:21:53 2016

Type: 14801

Id: 24817

Message: Root Login to controller B from Console failed.

Group Name: Nimble-SAN

Array name: Nimble-SAN

Serial: your SN

Version: 2.3.14.0-325711-opt

Arrays in the group:

---------------------+-----------------+-----------+----------------

Name                  Serial            Model       Version        

---------------------+-----------------+-----------+----------------

7 REPLIES
ndyer39
Honored Contributor

Re: Nimble Alert on Nimble-SAN / Nimble-SAN - CRITICAL: Root Login failed.

Hi Daniel,

This is a security feature as part of a recent version of NimbleOS. You most likely have something on your network that is probing all devices. Give support a call and they can help.

Daniel-san
Frequent Advisor

Re: Nimble Alert on Nimble-SAN / Nimble-SAN - CRITICAL: Root Login failed.

that's what i would have thought - except that it says it's from console.  when we've had failed access attempts on the LAN int, it would say it was from a LAN int IP address.  since this says console, and we have nothing connected to the console, it makes no sense.

rugby0134
Esteemed Contributor

Re: Nimble Alert on Nimble-SAN / Nimble-SAN - CRITICAL: Root Login failed.

you will get these messages for three reason.

1) software upgrade - the OS does a SSH to the standby to start upgrade and we log it.

2) internal software scan by your network  team to test security

3) someone is actually trying to break into the IP

For one and two - no issues. Number two is usally the case and you can call your security team. If it not the securuty team - then someone in you network is doing bad thing!

kevin

Daniel-san
Frequent Advisor

Re: Nimble Alert on Nimble-SAN / Nimble-SAN - CRITICAL: Root Login failed.

OK so assuming that even though it says that it's a failed *console* login, and nothing is connected to the console, and when there are failed access attempts via the network, it says that it's a failed *network* login (it shows an IP address rather than saying console), how *would* we poll the Nimble? 

the community string on the Nimble matches the read community string on the software that we use to montor all IP-connected systems internally.  this same software has been monitoring the same Nimble unit without errors for about 2 years.  Then suddenly after an OS upgrade, it starts giving these alerts claiming there is a failed *console* login.

Is there no other way to control management software that *is* allowed to poll the device than the SNMP read string (which, BTW, still does not support ! in the string, which is a known bug from the 1.x days, which Nimble said would be corrected, but still has not been).

that all said, it seems like your suggestion on item 1 is the more logical culprit.  but what would cause it to happen 15 times, twice daily, repeatedly when the OS upgrade is a one-time event, which occurred days ago (not to mention that no previous upgrades have triggered this alert)?

Daniel-san
Frequent Advisor

Re: Nimble Alert on Nimble-SAN / Nimble-SAN - CRITICAL: Root Login failed.

we've also confirmed that we're seeing this with customer systems now as well as our own.

assuming that polling the device via SNMP is a supported feature, why would the device claim there is a bad login of ANY type when the credentials being used are correct, and we were able to poll the system prior to v2.3 upgrade?

And even if the credentials WERE bad (which they are not), why would the system generate an error about a CONSOLE login when nothing is even connected to the console and the logins are being done via IP (which generates an alert about the IP i/f when there really is a bad access attempt)?

chris24
Respected Contributor
Solution

Re: Nimble Alert on Nimble-SAN / Nimble-SAN - CRITICAL: Root Login failed.

Hello,

If you raise a case with support they will be able to tell you exactly why these are being generated.

The source will be on your network, the reference to 'Console' is miss-leading it's the SSH Daemon reporting.

Common sources are HP Systems Insight Manager, Spiceworks and other network scanning / pen testing apps.

Many thanks,

Chris

Daniel-san
Frequent Advisor

Re: Nimble Alert on Nimble-SAN / Nimble-SAN - CRITICAL: Root Login failed.

Good call Chris - it was HP SIM.  Likely a port 22 scan.  Would be nice if Nimble made the alert clearer (ie: rather than saying CONSOLE, if it says SSH).  Maybe they'll see the feature request.