03-10-2014 06:56 AM
Looking for ways to stop the root account from being disabled from security scans and or actual attempts to gain access. Would like to use something like DenyHosts on linux where you can terminate a session after two attempts prior to the root account being disabled.
Not good to have the root account in a disabled state due to a failed attempt by an outside source. Makes far more sense to not allow something to do this to your server and stop it before it happens. Then report it out so you can research and determine who/what/why is attempting to login as the root account. Right now focuses on a audit scan which is attempting to login as root and disabling the account each time. Rather than fix the "scan" it's really telling us we have an architectural design that is flawed where as a "bad guy" I could disable your root account just by trying and maybe cuase some havoc with your environment by just getting root disabled.
Like a global solution that stops the attempt after two tries, logs the information and reports it out.
Any ideas? Thanks
03-10-2014 09:04 AM
I haven't verified this with HP-UX 11.31, but on older HP-UX versions at least, root has a special extra permission to log in _on the system console_ even if the root account is otherwise disabled.
And I think you're holding the wrong end of the stick: if you want to block invalid login attempts at the network level, whatever mechanism checks the validity of the login attempt must be made to feed the salient details _to IPFilter_, because IPFilter is not in the business of checking user's passwords/SSH keys/whatever. If you try to make IPFilter do the checking, then IPFilter must effectively become another copy of the thing you are trying to protect with IPfilter in the first place.
In my opinion, if a Joe Random Hacker from anywhere in the Internet can just start making root login attempts on your HP-UX server (which is probably doing something critical to your business), you're doing something wrong. The admin access to at least most of your servers should be behind a VPN or a locked-down gateway server (or two, for redundancy) which is configured so that it's able to take the pounding of the savages.
If you're talking about attacks by someone already within your own network... then the attacker is probably someone with inside knowledge, not just a generic "bad guy". But then, if you can locate the attacker, you may have other means of enforcement available: for example, you might have the security guards at your site catch the attacker and physically disconnect him/her from the network.
03-10-2014 01:55 PM
You are correct about console access and we have the account restricted for direct logins for that already.
Basically if your familiar with "linux" environments there is a "denyhosts" application that you can configure it so that any incoming connection requests for the "root" account can be disabled after two attempts, logged and information forwarded out to alert team members.
With HPUX hoping they would have something similiar either with IPfilter/HIDS or some concoction so that a process and or person (within our network as you mention) can't disable the root account simply by attempting to login through ssh (Telnet disabled of course).
Our auditors questioned this and why we allow it to happen when thier security trace after three unsuccesful attempts disabled root. It's a good question. Rather than adjust a trace to not "try" to connect as the root account...we should be implementing something that stops it in it's track after say two attempts and reports it out with details (IP/DATE/Session information).
I'll keep digging though and thanks for the reply. =)