HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide
Table A-23 Failed Login Attempts Alert Properties (continued)
DescriptionAlert Value/FormatAlert Field
Type
Alert FieldResponse
Program
Argument
The event that triggered
the alert.
Failed login
StringEventargv[9]
Indicates a failed login
alert versus a failed su
alert
1IntegerFlagargv[10]
Target login name that a
user was attempting to
log in as
<username>
StringUserargv[11]
Name of pty device
associated with failed
login attempt
<pty device name>
StringDeviceargv[12]
Name of remote host
from which login was
attempted
<remote hostname>
StringHostnameargv[13]
IP address of remote host
from which login was
attempted
+
<A.B.C.D> for IPv4 addresses
A:B:C:D:... for IPv6
addresses
NOTE: Although HIDS is not
supported on IPv6–only enabled
systems, the failed login
templates can recognize and
display the following types of
addresses in the alerts:
• IPv4 address
• IPv4 address-mapped-IPv6
address
• IPv6 address
StringIP Addressargv[14]
Limitations
The Repeated Failed Logins template has the following limitations:
• The template only detects failed logins that are logged to btmp.
— The template does not detect failed secure ftp (sftp) logins because the ssh
daemon logs failed sftp logins using syslog( 3C) instead of logging them to btmp
on HP–UX 11i v1 and btmps on HP–UX 11i v2 and HP-UX 11i v3.
— The template does not detect failed secure shell (ssh) logins by ssh daemons
that do not log failed ssh logins to btmp on HP–UX 11i v1 and btmp(s) on
HP–UX 11i v2 and HP-UX 11i v3. To enable Secure Shell to log failed logins
Repeated Failed Logins Template 187