HPE Community
HPE Synergy
1819686 Members
3631 Online
109605 Solutions
New Discussion

Integrated Lights-Out detected more than 3 unauthorized login attempts

 
SOLVED
Go to solution
Syeather
Occasional Advisor

‎08-02-2024 08:37 AM - last edited on ‎08-06-2024 03:56 AM by

‎08-02-2024 08:37 AM - last edited on ‎08-06-2024 03:56 AM by

Integrated Lights-Out detected more than 3 unauthorized login attempts

We are getting tons of these messages in iLO Security Log on one of our Gen10 compute modules in Synergy 12000 frame.  The Event log is showing a massive amount of Browser logins/logouts: Frame Link Module.  I am assuming something is going on between the iLO/FLM communications, login failures etc., and is being flagged as Security Log events/Denial of Service.  I can't find a whole lot of information on this, so I am making some assumptions here.  Any ideas as to what's going on?  Posted snippet from Event Log IPv6 address X'd:.  This system was previously managed by a co-worker who recently left, and was only just reported to me the other day.  The logs/events appear to have been going on for up to a year that I could see.

956758
Browser logout: Frame Link Module - XXXX:XXXX:XXXX:XXXX:XXXX(DNS name not found). 07/30/2024 19:03:20 2 Security, Administration
956757
Browser login: Frame Link Module - XXXX:XXXX:XXXX:XXXX:XXXX(DNS name not found). 07/30/2024 19:03:20 2 Security, Administration
956756
Browser logout: Frame Link Module - XXXX:XXXX:XXXX:XXXX:XXXX(DNS name not found). 07/30/2024 19:02:18 2 Security, Administration
956755
Browser login: Frame Link Module - XXXX:XXXX:XXXX:XXXX:XXXX(DNS name not found). 07/30/2024 19:02:18 2 Security, Administration
956754
Browser logout: Frame Link Module - XXXX:XXXX:XXXX:XXXX:XXXX(DNS name not found). 07/30/2024 19:01:16 4 Security, Administration

0 Kudos
Reply
6 REPLIES 6
Syeather
Occasional Advisor

‎08-05-2024 09:05 AM - last edited on ‎09-16-2024 02:08 AM by

‎08-05-2024 09:05 AM - last edited on ‎09-16-2024 02:08 AM by

Re: Integrated Lights-Out detected more than 3 unauthorized login attempts

And an lots of these in the Security Log.  This is just a small snippet.

ID Severity Class Description Last Update Count Category
89 ⓘ Denial of Service iLO detected 3 unauthorized login attempts. 07/30/2024 18:18:02 1 Security, Administration
88 ⓘ Denial of Service iLO detected 3 unauthorized login attempts. 07/30/2024 18:15:34 1 Security, Administration
87 ⓘ Denial of Service iLO detected 3 unauthorized login attempts. 07/18/2024 23:59:18 1 Security, Administration
86 ⓘ Denial of Service iLO detected 3 unauthorized login attempts. 07/18/2024 23:56:51 1 Security, Administration
85 ⓘ Denial of Service iLO detected 3 unauthorized login attempts. 07/06/2024 07:22:27 1 Security, Administration

0 Kudos
Reply
thutchings
HPE Pro

‎08-05-2024 09:12 AM - last edited on ‎09-16-2024 02:08 AM by

‎08-05-2024 09:12 AM - last edited on ‎09-16-2024 02:08 AM by

Re: Integrated Lights-Out detected more than 3 unauthorized login attempts

Hello,

The original post is showing successful logins from the FLM's in the frame. Do you see unsuccessful login attempts to the iLO? If so, the log should show the source and type of connection (HTTP, SSH, etc.).


Regards



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
Syeather
Occasional Advisor

‎08-05-2024 10:13 AM - last edited on ‎09-16-2024 02:08 AM by

‎08-05-2024 10:13 AM - last edited on ‎09-16-2024 02:08 AM by

Re: Integrated Lights-Out detected more than 3 unauthorized login attempts

I will dig through the event logs in more detail, looking for unsuccessful attempts.  What was more concerning is the security log entries - 89 ⓘ Denial of Service iLO detected 3 unauthorized login attempts. 07/30/2024 18:18:02 1 Security, Administration, but I didn't really notice any event logs that said unsuccessful.  I just kind of guessed that maybe since there were so many of the FLM login/logouts, that maybe there were some attempts that had failed.  I will look this afternoon.

0 Kudos
Reply
Syeather
Occasional Advisor

‎08-05-2024 10:52 AM - last edited on ‎09-16-2024 02:08 AM by

‎08-05-2024 10:52 AM - last edited on ‎09-16-2024 02:08 AM by

Re: Integrated Lights-Out detected more than 3 unauthorized login attempts

I just checked and I do not see any unsuccessful login attempts in Event Log, although the Security Log shows a ton of the " ⓘ Denial of Service iLO detected 3 unauthorized login attempts. 07/30/2024 18:18:02 1 Security, Administration" entries.  Any ideas as to what is causing these?

0 Kudos
Reply
thutchings
HPE Pro

‎08-05-2024 11:19 AM - last edited on ‎09-16-2024 02:08 AM by

‎08-05-2024 11:19 AM - last edited on ‎09-16-2024 02:08 AM by

Solution

Re: Integrated Lights-Out detected more than 3 unauthorized login attempts

Hello,

If the source of the login failures is failing on the same source each time, then it may not list it for each failed attempt. You should see in the iLO event log events indicating the source of the login failure. They might be similar to these:

07/16/2024 06:59:39,63522: iLO Host Interface/RBSU login failure.
07/16/2024 06:59:39,63521: iLO detected more than 3 unauthorized login attempts.
07/16/2024 06:59:42,63521: iLO detected more than 3 unauthorized login attempts.
07/16/2024 06:59:48,63521: iLO detected more than 3 unauthorized login attempts.
07/16/2024 06:59:53,63521: iLO detected more than 3 unauthorized login attempts.
07/16/2024 06:59:53,63521: iLO detected more than 3 unauthorized login attempts.

The above is indicating a host interface/RBSU login failure, which generally indicates an issue logging in from the host OS. The error above is happening due to the iLO being in high security mode, while the tool within the OS (SUT) is attempting to get into the iLO. No username/password was ever supplied for the SUT, which is why the events are being logged. The source of the login failure in your environment may be different than what I pasted above.


Regards



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
Reply
Syeather
Occasional Advisor

‎08-05-2024 01:09 PM

‎08-05-2024 01:09 PM

Re: Integrated Lights-Out detected more than 3 unauthorized login attempts

Much appreciated. This lines up with my new direction/thinking that these are being caused by our Security team scanning equipment.  I've been told that they scan looking for anything "open" & wouldn't be providing a username/password.  This system is at a remote secure/dark site and a PITA to access & I'm not allowed to offload logs, or anything for that matter.  I will get into it again tomorrow and take another look, but I'm going to mark this post as an accepted solution

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.