IBM Support

Determining the source IP address of failed login attempts to the Security Network IPS

Question & Answer


Question

Where can you find the source IP address information for failed SSH and Local Management Interface (LMI) logins to the IBM Security Network IPS (GX) appliance?

Answer

Failed login messages are recorded based on the settings in the Accounts and Passwords policy of the Network IPS. If you would like more information on configuring these settings, see the online documentation for this policy. The GX appliance records all login attempts in the System Log. The System Log can be accessed through the Local Management Interface (LMI) with the following steps:
  1. Open the LMI and go to Review Analysis and Diagnostics > Logs > System Logs.

  2. Use the System Logs Filter option if you want to use a Filter Criteria to search for a specific time or text.


Depending if the access was via SSH or LMI ,there are two types of log entries recorded. The following is the description for each one:

Failed login attempt via SSH session:

The System Log will show an entry similar to the following:

sshd[pid#]: pam_unix_auth(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ip_address user=username

The rhost field shows the IP address of the remote system that failed to log in.

Failed login attempt via LMI session:

The System Log will show an entry similar to the following:

sshd[pid#]: pam_unix_auth(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ip_address user=username

The message above will only provide a username, not an IP address. In order to locate the IP address, you must access the GX appliance via SSH and open the /cache/log/apache2/access_log_lmi file with a text editor. When a user attempts to log in to the LMI and fails, a message similar to the one below will appear in that file:

applianceName:443 ip_address - - [06/Aug/2015:11:31:04 -0400] "GET / HTTP/1.1" 401

The ip_address field will provide the remote host that attempted to log in.

[{"Product":{"code":"SS9SBT","label":"Proventia Network Intrusion Prevention System"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General Information","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"4.3;4.4;4.5;4.6;4.6.1;4.6.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SSETH9","label":"Proventia Network Multi-Function Security"},"Business Unit":{"code":"BU008","label":"Security"},"Component":" ","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"4.3;4.4;4.5;4.6","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
21 March 2022

UID

swg21964016

Page Feedback