Welcome to the VanDyke Software Forums

Join the discussion today!


Go Back   VanDyke Software Forums > Secure Shell

Reply
 
Thread Tools Display Modes
  #1  
Old 06-21-2017, 11:18 AM
ChuckS@CAM-Ohio's Avatar
ChuckS@CAM-Ohio ChuckS@CAM-Ohio is offline
Registered User
 
Join Date: Jun 2017
Location: Ohio, USA
Posts: 6
Question Configuring root login attempts for AuthFailed trigger

Hello,

We are currently using VShell Version: 4.2.2 (build 1121) and are quite pleased with it's features and capabilities.

We currently block root login access using the configuration file directive:
DenyRoot true
We know this is working because we are seeing entries like this in the log files:
20161120 101942 VShell%20SSH2 auth 547 root 0 0 0 0 00547 Root login refused from 204.16.31.32

We want to continue blocking root logins and also:
  1. Use the DenyHostAfterFailure feature to add the offending IP address to the DenyHostsFile.
  2. Have root login attempts trigger the AuthFailed event.

What changes in the configuration file are required?

Thanks!
Chuck
Reply With Quote
  #2  
Old 06-21-2017, 11:40 AM
ekoranyi ekoranyi is offline
VanDyke Technical Support
 
Join Date: Jan 2017
Posts: 644
Hi ChuckS@CAM-Ohio,

I'm glad to hear that VShell is working well for you.

What Operating System are you running VShell on? It looks like Linux, is that the case?

Are you wanting to add only root login attempts to the Deny Hosts file or everyone over a set threshold of authentication attempts?
__________________
Thanks,
--Eric

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #3  
Old 06-21-2017, 12:24 PM
ChuckS@CAM-Ohio's Avatar
ChuckS@CAM-Ohio ChuckS@CAM-Ohio is offline
Registered User
 
Join Date: Jun 2017
Location: Ohio, USA
Posts: 6
Re: Configuring root login attempts for AuthFailed trigger

Hello, ekorany.

Yes, we are on a RHEL server.

We would want everyone with failed attempts above a threshold added to the DenyHostsFile, including the root login attempts.

Chuck
Reply With Quote
  #4  
Old 06-21-2017, 02:38 PM
ekoranyi ekoranyi is offline
VanDyke Technical Support
 
Join Date: Jan 2017
Posts: 644
Hi ChuckS@CAM-Ohio,

To enable Deny Hosts you will want to uncomment and configure the following lines from you vshelld_config file.

DenyHostAfterFailure true
DenyHostsFile /path/to/denyhosts.txt
DenyHostAfterFailureCount 3

There will be a limitation in that using DenyRoot true blocks any attempt to use the root username before it reaches authentication. This means that attempts using root don't fail authentication because they never get the chance.

We may be able to get you the behavior you desire by setting DenyRoot false and adding root to the Deny Users list. What would you like to have happen when someone attempts to log in as root. What action would you like to trigger?
__________________
Thanks,
--Eric

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #5  
Old 06-21-2017, 04:37 PM
ChuckS@CAM-Ohio's Avatar
ChuckS@CAM-Ohio ChuckS@CAM-Ohio is offline
Registered User
 
Join Date: Jun 2017
Location: Ohio, USA
Posts: 6
Re: Configuring root login attempts for AuthFailed trigger

"We may be able to get you the behavior you desire by setting DenyRoot false and adding root to the Deny Users list. What would you like to have happen when someone attempts to log in as root. What action would you like to trigger? "

We would like to:
  1. Continue blocking 'root' logins, and will do so by changing the following vshelld_config settings:
    AccessControl {
    Login {
    AllowUsers{*}
    DenyUsers{ root }
    }
    ...
    }

    DenyRoot false
  2. Continue having failed user login attempts, now including 'root', to generate FailedAuthCommand triggered event, by this trigger:
    #FailedAuthCommand
    FailedAuthCommand /bin/su app_user -c "/usr/local/bin/vshell-trigger FailedLogin $U $D $T $S $I"
  3. Failed login attempts to automatically block IP addresses, by adding the following:
    DenyHostAfterFailure true
    DenyHostsFile /our/path/to/denyhosts.txt
    DenyHostAfterFailureCount 3
Will those changes work for what we need?

Thanks again!
Chuck

Last edited by ChuckS@CAM-Ohio; 06-21-2017 at 04:43 PM.
Reply With Quote
  #6  
Old 06-21-2017, 05:29 PM
ekoranyi ekoranyi is offline
VanDyke Technical Support
 
Join Date: Jan 2017
Posts: 644
Hi ChuckS@CAM-Ohio,

One issue we will run into is a failed auth trigger won't be tripped until the number of attempts exceeds what is set in the MaximumAuthenticationRetries.
If root is denied by any method the user can never get more than "1" authentication attempt.

We could set MaximumAuthenticationRetries to 1 to include root attempts but this may negatively impact legitimate users who mis-type a password.

One option may be to craft a script that on every authentication failure checks to see if the user was root, if so add that IP to the deny host file and if not do nothing. This would allow Deny Hosts to work as intended adding an IP after 3 failed authentication attempts for normal users, but adding the IP for any connection attempting to use root after the first attempt.

What does your current Failed Login script do when it's fired?
__________________
Thanks,
--Eric

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #7  
Old 06-22-2017, 08:34 AM
ChuckS@CAM-Ohio's Avatar
ChuckS@CAM-Ohio ChuckS@CAM-Ohio is offline
Registered User
 
Join Date: Jun 2017
Location: Ohio, USA
Posts: 6
As you may have assumed, we have one large trigger-script, vshell-trigger for this example, which uses command-line arguments to determine specific functionality. You may have also noticed our trigger script runs with the security context of a special user account, 'app_user' for this example. This way any short-comings or exploits in the trigger script are localized to that user's context. A remote process connects to this account to perform automated file transfers. Therefore the script determines which actions are taken depending on the trigger type and user class - self, for the automated process; admins, for internal staff; users, for our external business partners.

Currently the FailedAuth call only writes to an application-specific log file, which is retrieved daily. Can you show us the vshelld_config settings required to achieve the scenario you mentioned, where the threshold effectively is 1 failed attempt for root and3 (or more) for other users?

Thanks
Chuck
Reply With Quote
  #8  
Old 06-22-2017, 12:16 PM
ekoranyi ekoranyi is offline
VanDyke Technical Support
 
Join Date: Jan 2017
Posts: 644
Hi ChuckS@CAM-Ohio,

During my configuration testing I noticed some adverse behavior that is preventing my suggested implementation. I've asked that our QA/DEV team review the issue. I'll be sure to respond in this thread when I have additional information on how to get the behavior you are looking for.
__________________
Thanks,
--Eric

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #9  
Old 01-29-2019, 02:04 PM
jdev's Avatar
jdev jdev is offline
VanDyke Technical Support
 
Join Date: Nov 2003
Location: Albuquerque, NM
Posts: 866
Hi Chuck,

Our development team has implemented a fix for the issue that was preventing you from configuring VShell to add an IP address to your DenyHosts file after a specific number of failed authentication attempts had been made.

If you would like access to a newer version of VShell for your RHEL machine that has this fix in place, would you please send an email to support@vandyke.com with a subject of: ATTN: Jake - Forum thread #12734. In your email, please let me know the email address associated with your VanDyke Software download account so that I can make the installer available to you.

--Jake
__________________
Jake Devenport
VanDyke Software
Technical Support
YouTube Channel: http://www.youtube.com/vandykesoftware
Email: support@vandyke.com
Web: http://www.vandyke.com/support
Reply With Quote
Reply

Tags
authfailed , configuration , denyhostafterfailure , logs , root acess


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 08:24 PM.