Skip to main content
NetApp Response to Russia-Ukraine Cyber Threat
In response to the recent rise in cyber threat due to the Russian-Ukraine crisis, NetApp is actively monitoring the global security intelligence and updating our cybersecurity measures. We follow U.S. Federal Government guidance and remain on high alert. Customers are encouraged to monitor the Cybersecurity and Infrastructure Security (CISA) website for new information as it develops and remain on high alert.
NetApp Knowledge Base

Are invalid/unknown user login attempts via SSH recorded?

Views:
1,659
Visibility:
Public
Votes:
1
Category:
ontap-9
Specialty:
core
Last Updated:

Applies to

  • ONTAP 9.x
  • SSH
  • Event Management System (EMS)

Answer

  • Invalid/unknown user attempts are logged in EMS  :
Message Name: sshd.auth.loginDenied
Severity: NOTICE
Description: This event is issued when sshd refuses a login attempt due to authentication failure.
Corrective Action: Use a valid username/password combination to login.
 
Example:
Thu Aug 4 18:05:09 +0300 [cluster1-01: sshd: sshd.auth.loginDenied:notice]: params: {'message': 'Failed keyboard-interactive / pam for invalid user user123 from 10.x.y.4 port 61582 ssh2 '}
 
Message Name: sshd.loginGraceTime.expired
Severity: ERROR
Description: This message occurs when a user tries to establish a Secure Shell (SSH) connection to a storage system and does not provide the password within the allotted timeout period. Many such connection attempts could potentially disallow other users from logging in to the storage system, causing a Denial of Service (DOS) attack.
Corrective Action: If the remote host is retrying the SSH connection repeatedly, block the remote host by adding its IP address to the deny list using the "firewall policy" command.
 
Example:
09/23/2020 11:41:51 cluster1-01 ERROR sshd.loginGraceTime.expired: Timeout before password authentication for remote host 10.x.y.7
 
  • Additionally, the “illegal user” authentication failures can be found in the Messages.log:
Fri Oct 16 08:18:35 2020 cluster1-01 [auth_sshd:error:45682] error: PAM: authentication error for illegal user test from 10.2.3.4

 

Scan to view the article on your device