Home
  •  

SSH Authentication Failure alert rule

Microsoft.Linux.RHEL.4.LogFile.Syslog.SSHAuth.PAM.Root.Failure.Alert (Rule)

Alert rule for detection of SSH Authentication failures.

Knowledge Base article:

Summary

An SSH authentication failure for the root account has been detected in the system log files.

Causes

A failure may be caused by a mistyped password or an attempt to use an invalid username. However, a persistent failure could be an indication that someone is attempting to gain unauthorized access.

Resolutions

The description of the alert and/or the output data item contains information on the problem encountered. If a failure occurs, check the associated event details and any other events that happened around the time of this failure to diagnose the problem.

Element properties:

TargetMicrosoft.Linux.RHEL.4.Computer
CategoryEventCollection
EnabledTrue
Alert GenerateTrue
Alert SeverityError
Alert PriorityNormal
RemotableTrue
Alert Message
SSH Authentication Failure detected
{0}

Member Modules:

ID Module Type TypeId RunAs 
EventDS DataSource Microsoft.Unix.SCXLog.Privileged.Datasource Default
GenerateAlert WriteAction System.Health.GenerateAlert Default

Source Code:

<Rule ID="Microsoft.Linux.RHEL.4.LogFile.Syslog.SSHAuth.PAM.Root.Failure.Alert" Target="Microsoft.Linux.RHEL.4.Computer" Enabled="true" Remotable="true">

  <Category>EventCollection</Category>

  <DataSources>

    <!-- [TYPE] Redhat4 SshPassword False -->

    <!-- [INPUT] Oct 15 04:34:18 scxom64-rhel40-03 sshd[4797]: Failed password for root from ::ffff:127.0.0.1 port 32773 ssh2 -->

    <!-- [INPUT] Oct 15 04:35:16 scxom64-rhel40-03 sshd[4843]: Failed password for invalid user root from ::ffff:127.0.0.1 port 32774 ssh2 -->

    <!-- [INPUT-MISS] Oct 15 02:54:17 scxom64-rhel40-03 sshd[4208]: Failed password for nobody from ::ffff:172.30.181.72 port 60209 ssh2 -->

    <!-- [INPUT-MISS] Oct 15 04:33:53 scxom64-rhel40-03 sshd[4794]: Failed password for tst1 from ::ffff:127.0.0.1 port 32772 ssh2 -->

    <!-- [INPUT-MISS] Oct 15 04:36:03 scxom64-rhel40-03 sshd[4848]: Failed password for invalid user tst1 from ::ffff:127.0.0.1 port 32775 ssh2 -->

    <DataSource ID="EventDS" TypeID="Unix!Microsoft.Unix.SCXLog.Privileged.Datasource">

      <Host>$Target/Property[Type="Unix!Microsoft.Unix.Computer"]/PrincipalName$</Host>

      <LogFile>/var/log/secure</LogFile>

      <RegExpFilter>\s+sshd\[[[:digit:]]+\]: Failed password for (invalid user )?root from \S+</RegExpFilter>

      <IndividualAlerts>false</IndividualAlerts>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">

      <Priority>1</Priority>

      <Severity>2</Severity>

      <AlertMessageId>$MPElement[Name="Microsoft.Linux.RHEL.4.LogFile.Syslog.SSHAuth.PAM.Root.Failure.AlertMessage"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/EventDescription$</AlertParameter1>

      </AlertParameters>

      <Suppression>

        <SuppressionValue/>

      </Suppression>

    </WriteAction>

  </WriteActions>

</Rule>