Host Intrusion Detection System Administrator's Guide Release 3.1
Templates and Alerts
Repeated Failed Logins Template
Appendix A
177
Repeated Failed Logins Template
The vulnerability
addressed by this
template
An attacker can gain access to a system by repeatedly attempting to guess the password
of an account.
How this template
addresses the
vulnerability
The Failed Login template monitors for repeated failed attempts to log in to the system.
Specifically, this template monitors btmp on 11i v1 and btmps on 11i v2 for a given
number of failed login attempts within a specified time span.
It monitors for the following events:
• Failed remote logins
• Failed ftp logins (starting with HP-UX 11i v2 only)
If an unusual number of failed attempts occur, this template generates an alert.
How this template
is configured
Table A-22 lists the configurable properties that this template supports.
Properties A brief description about the configurable properties are listed below:
• Property: max_failed_login
The number of failed attempts to log in as the same user.
• Property: fail_interval
The time interval over which the failed login attempts must occur to generate an
alert.
• Property: warning_interval
The minimum time that must elapse before an identical failed login alert is
generated.
The default settings mean that more than two login failures for a particular target user
within 10 seconds cause an alert to be generated, and duplicate alerts that occur within
30 seconds are not reported. It is not an uncommon occurrence for a user to mistype a
password when attempting to log in. By modifying the values, you can customize this
template to local user behavior.
Alerts generated
by this template
See “Failed Login Attempts” on page 178 for more information about the alerts
generated by this template.
Table A-22 Failed Logins Template Properties
Name Type Default Value
max_failed_login VIII 2
fail_interval VI 10 seconds
warning_interval VI 30 seconds