Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP Host Intrusion Detection System (HIDS)

181

182

183

184

185

186

187

188

189

190

Templates and Alerts

Repeated Failed Logins Template

Appendix A

173

Repeated Failed Logins Template

The vulnerability

addressed by this

template

An attacker can gain access to a system by repeatedly attempting to guess the password

of an account.

How this template

addresses the

vulnerability

The Failed Login template monitors for repeated failed attempts to login to the system.

Speciﬁcally, this template monitors btmp on 11i and btmps on 11i v2 for a given number

of failed login attempts within a speciﬁed time span.

• Failed remote logins

• Failed ftp logins (starting with HP-UX 11i v2 only)

If an unusual number of failed attempts occur, this template generates an alert.

How this template

is conﬁgured

This template supports the following properties:

Properties • Property: max_failed_login

The number of failed attempts to login as the same user.

• Property: fail_interval

The time interval over which the failed login attempts must occur to generate an

alert.

• Property: warning_interval

The minimum time that must elapse before an identical failed login alert is

generated.

The default settings mean that more than two login failures for a particular target user

within 10 seconds will cause an alert to be generated, and duplicate alerts that occur

within 30 seconds will not be reported. It is not an uncommon occurrence for a user to

mistype a password when attempting to login. By modifying the values, this template

can be customized to local user behavior.

Alerts generated

by this template

• “Failed Login Attempts” on page 174

Table A-22 Template Properties

Name Type Default Value

max_failed_login VIII 2

fail_interval VI 10s

warning_interval VI 30s