HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide
• The template generates alerts for ftp logins without the remote host IP address on
11i V1 unless the wu-ftp 2.6.1 patch is installed.
• The host address filtering provided by this template is vulnerable to IP spoofing.
• On IPv6 configured machines, alerts do not display the IP address
Repeated Failed Logins Template
The vulnerability addressed by this template
An attacker can gain access to a system by repeatedly attempting to guess the password
of an account.
How this template addresses the vulnerability
The Repeated Failed Login template monitors for repeated failed attempts to log in to
the system. Specifically, this template monitors btmp on HP-UX 11i v1 and btmps on
HP-UX 11i v2 and HP-UX 11i v3 for a given number of failed login attempts within a
specified time span.
• Failed remote logins
• Failed ftp logins (for HP-UX 11i v2 and HP-UX 11i v3 only)
It monitors for the following events:
If an unusual number of failed attempts occur, this template generates an alert.
How this template is configured
Table A-22 lists the configurable properties that this template supports.
Table A-22 Failed Logins Template Properties
Default ValueTypeName
2VIII
max_failed_login
10 secondsVI
fail_interval
30 secondsVI
warning_interval
root ids
III
priv_user_list
Properties
The configurable properties are listed as follows:
max_failed_login
The number of failed attempts to log in as the same user.
fail_interval
The time interval over which the failed login attempts must
occur to generate an alert.
warning_interval
The minimum time that must elapse before an identical failed
login alert is generated.
The default settings mean that more than two login failures
for a particular target user within 10 seconds cause an alert
Repeated Failed Logins Template 185