Skip to main content
NetApp Knowledge Base

Are invalid/unknown user login attempts via SSH recorded?

Views:
1,021
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
core
Last Updated:

Applies to

  • ONTAP 9.x
  • SSH
  • Event Management System (EMS)

Answer

  • Invalid/unknown user attempts are logged in EMS  :
Message Name: sshd.auth.loginDenied
Severity: NOTICE
Description: This event is issued when sshd refuses a login attempt due to authentication failure.
Corrective Action: Use a valid username/password combination to login.
 
Example:
Thu Aug 4 18:05:09 +0300 [cluster1-01: sshd: sshd.auth.loginDenied:notice]: params: {'message': 'Failed keyboard-interactive / pam for invalid user user123 from 10.x.y.4 port 61582 ssh2 '}
 
Message Name: sshd.loginGraceTime.expired
Severity: ERROR
Description: This message occurs when a user tries to establish a Secure Shell (SSH) connection to a storage system and does not provide the password within the allotted timeout period. Many such connection attempts could potentially disallow other users from logging in to the storage system, causing a Denial of Service (DOS) attack.
Corrective Action: If the remote host is retrying the SSH connection repeatedly, block the remote host by adding its IP address to the deny list using the "firewall policy" command.
 
Example:
09/23/2020 11:41:51 cluster1-01 ERROR sshd.loginGraceTime.expired: Timeout before password authentication for remote host 10.x.y.7
 
  • Additionally, the “illegal user” authentication failures can be found in the Messages.log:
Fri Oct 16 08:18:35 2020 cluster1-01 [auth_sshd:error:45682] error: PAM: authentication error for illegal user test from 10.2.3.4