Welcome to the VanDyke Software Forums

Join the discussion today!


Go Back   VanDyke Software Forums > Secure Shell

Reply
 
Thread Tools Display Modes
  #1  
Old 06-21-2017, 11:18 AM
ChuckS@CAM-Ohio's Avatar
ChuckS@CAM-Ohio ChuckS@CAM-Ohio is offline
Registered User
 
Join Date: Jun 2017
Location: Ohio, USA
Posts: 6
Question Configuring root login attempts for AuthFailed trigger

Hello,

We are currently using VShell Version: 4.2.2 (build 1121) and are quite pleased with it's features and capabilities.

We currently block root login access using the configuration file directive:
DenyRoot true
We know this is working because we are seeing entries like this in the log files:
20161120 101942 VShell%20SSH2 auth 547 root 0 0 0 0 00547 Root login refused from 204.16.31.32

We want to continue blocking root logins and also:
  1. Use the DenyHostAfterFailure feature to add the offending IP address to the DenyHostsFile.
  2. Have root login attempts trigger the AuthFailed event.

What changes in the configuration file are required?

Thanks!
Chuck
Reply With Quote
  #2  
Old 06-21-2017, 11:40 AM
ekoranyi ekoranyi is offline
VanDyke Technical Support
 
Join Date: Jan 2017
Posts: 654
Hi ChuckS@CAM-Ohio,

I'm glad to hear that VShell is working well for you.

What Operating System are you running VShell on? It looks like Linux, is that the case?

Are you wanting to add only root login attempts to the Deny Hosts file or everyone over a set threshold of authentication attempts?
__________________
Thanks,
--Eric

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #3  
Old 06-21-2017, 12:24 PM
ChuckS@CAM-Ohio's Avatar
ChuckS@CAM-Ohio ChuckS@CAM-Ohio is offline
Registered User
 
Join Date: Jun 2017
Location: Ohio, USA
Posts: 6
Re: Configuring root login attempts for AuthFailed trigger

Hello, ekorany.

Yes, we are on a RHEL server.

We would want everyone with failed attempts above a threshold added to the DenyHostsFile, including the root login attempts.

Chuck
Reply With Quote
  #4  
Old 06-21-2017, 02:38 PM
ekoranyi ekoranyi is offline
VanDyke Technical Support
 
Join Date: Jan 2017
Posts: 654
Hi ChuckS@CAM-Ohio,

To enable Deny Hosts you will want to uncomment and configure the following lines from you vshelld_config file.

DenyHostAfterFailure true
DenyHostsFile /path/to/denyhosts.txt
DenyHostAfterFailureCount 3

There will be a limitation in that using DenyRoot true blocks any attempt to use the root username before it reaches authentication. This means that attempts using root don't fail authentication because they never get the chance.

We may be able to get you the behavior you desire by setting DenyRoot false and adding root to the Deny Users list. What would you like to have happen when someone attempts to log in as root. What action would you like to trigger?
__________________
Thanks,
--Eric

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #5  
Old 06-21-2017, 04:37 PM
ChuckS@CAM-Ohio's Avatar
ChuckS@CAM-Ohio ChuckS@CAM-Ohio is offline
Registered User
 
Join Date: Jun 2017
Location: Ohio, USA
Posts: 6
Re: Configuring root login attempts for AuthFailed trigger

"We may be able to get you the behavior you desire by setting DenyRoot false and adding root to the Deny Users list. What would you like to have happen when someone attempts to log in as root. What action would you like to trigger? "

We would like to:
  1. Continue blocking 'root' logins, and will do so by changing the following vshelld_config settings:
    AccessControl {
    Login {
    AllowUsers{*}
    DenyUsers{ root }
    }
    ...
    }

    DenyRoot false
  2. Continue having failed user login attempts, now including 'root', to generate FailedAuthCommand triggered event, by this trigger:
    #FailedAuthCommand
    FailedAuthCommand /bin/su app_user -c "/usr/local/bin/vshell-trigger FailedLogin $U $D $T $S $I"
  3. Failed login attempts to automatically block IP addresses, by adding the following:
    DenyHostAfterFailure true
    DenyHostsFile /our/path/to/denyhosts.txt
    DenyHostAfterFailureCount 3
Will those changes work for what we need?

Thanks again!
Chuck

Last edited by ChuckS@CAM-Ohio; 06-21-2017 at 04:43 PM.
Reply With Quote
  #6  
Old 06-21-2017, 05:29 PM
ekoranyi ekoranyi is offline
VanDyke Technical Support
 
Join Date: Jan 2017
Posts: 654
Hi ChuckS@CAM-Ohio,

One issue we will run into is a failed auth trigger won't be tripped until the number of attempts exceeds what is set in the MaximumAuthenticationRetries.
If root is denied by any method the user can never get more than "1" authentication attempt.

We could set MaximumAuthenticationRetries to 1 to include root attempts but this may negatively impact legitimate users who mis-type a password.

One option may be to craft a script that on every authentication failure checks to see if the user was root, if so add that IP to the deny host file and if not do nothing. This would allow Deny Hosts to work as intended adding an IP after 3 failed authentication attempts for normal users, but adding the IP for any connection attempting to use root after the first attempt.

What does your current Failed Login script do when it's fired?
__________________
Thanks,
--Eric

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
Reply

Tags
authfailed , configuration , denyhostafterfailure , logs , root acess


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 02:11 AM.