Skip to main content
NetApp Knowledge Base

Are invalid/unknown user login attempts via SSH recorded?

Views:
2,841
Visibility:
Public
Votes:
1
Category:
ontap-9
Specialty:
core
Last Updated:

Applies to

  • ONTAP 9
  • SSH
  • Event Management System (EMS)

Answer

  • Invalid/unknown user attempts are logged in EMS  :
Message Name: sshd.auth.loginDenied
Severity: NOTICE
Description: This event is issued when sshd refuses a login attempt due to authentication failure.
Corrective Action: Use a valid username/password combination to login.
 
Example:
Thu Aug 4 18:05:09 +0300 [cluster1-01: sshd: sshd.auth.loginDenied:notice]: params: {'message': 'Failed keyboard-interactive / pam for invalid user user123 from 10.x.y.4 port 61582 ssh2 '}
 
Message Name: sshd.loginGraceTime.expired
Severity: ERROR
Description: This message occurs when a user tries to establish a Secure Shell (SSH) connection to a storage system and does not provide the password within the allotted timeout period. Many such connection attempts could potentially disallow other users from logging in to the storage system, causing a Denial of Service (DOS) attack.
Corrective Action: If the remote host is retrying the SSH connection repeatedly, block the remote host by adding its IP address to the deny list using the "firewall policy" command.
 
Example:
09/23/2020 11:41:51 cluster1-01 ERROR sshd.loginGraceTime.expired: Timeout before password authentication for remote host 10.x.y.7
 
  • Additionally, the “illegal user” authentication failures can be found in the Messages.log:
    • Fri Oct 16 08:18:35 2020 cluster1-01 [auth_sshd:error:45682] error: PAM: authentication error for illegal user test from 10.2.3.4

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.