Contents
1 Introduction
This instruction concerns alarm handling.
1.1 Alarm Description
The alarm is issued when the authentication failure limit is reached for the Administrator account. A password cracking attack is suspected.
The possible alarm causes and the corresponding fault reasons, fault locations, and impacts are described in Table 1.
|
Alarm Cause |
Description |
Fault Reason |
Fault Location |
Impact |
|---|---|---|---|---|
|
Several consecutive failed logon attempts for the Administrator account. |
The number of failed logon attempts on Administrator account exceed the threshold passwordMaxFailure within the time interval passwordFailureCountInterval. |
Someone is trying to log on to Administrator account with wrong user credentials. |
Administrator account |
Unallowed access to the Administrator account. |
The alarm attributes are listed and explained in Table 2.
|
Attribute Name |
Attribute Value |
|---|---|
|
Major Type |
193 |
|
Minor Type |
6946820 |
|
Managed Object Class |
|
|
Managed Object Instance |
ManagedElement=<node_name>,SystemFunctions=1,SecM=1,UserManagement=1,LocalAuthenticationMethod=1,AdministratorAccount=<user ID> |
|
Specific Problem |
Local Authentication, Authentication Failure Limit Reached |
|
Event Type |
securityServiceOrMechanismViolation (10) |
|
Probable Cause |
x736AuthenticationFailure (401) |
|
Additional Text |
The authentication failure limit is reached based on the configured threshold. A password attack is suspected that should be isolated from the ME. |
|
Perceived Severity |
Warning (6) |
1.2 Prerequisites
This section provides information on the documents, tools, and conditions that apply to the procedure.
1.2.1 Documents
Not applicable.
1.2.2 Tools
No tools are required.
1.2.3 Conditions
Before starting this procedure, ensure that the following conditions are met:
- A Local Authentication, Authentication Failure Limit Reached alarm is raised.
- The user has sufficient access rights to perform the task, for example, the user has system security administrator role, and root privileges to access operating system logs.
- An Ericsson Command-Line Interface (ECLI) session in Exec mode is in progress.
2 Procedure
This section describes the procedure to follow when this alarm is received.
Do the following:
- Navigate to the AdministratorAccount Managed Object (MO) given in the alarm, for example:
>dn ManagedElement=NODE06ST,SystemFunctions=1,SecM=1,UserManagement=1,LocalAuthenticationMethod=1, AdministratorAccount=la-admin
- Check how many failed attempts have been made to the Administrator
account during the passwordFailureCountInterval:
(AdministratorAccount=la-admin)>show –r passwordFailureTimes
The following is an example output:
AdministratorAccount=la-admin passwordFailureTimes ”2015-02-02T17:15:02Z” ”2015-02-03T13:47:53Z” ”2015-02-03T13:53:28Z” ”2015-02-03T13:55:16Z” ”2015-02-03T13:59:03Z” ”2015-02-03T14:03:17Z” ”2015-02-03T14:04:18Z” ”2015-02-03T14:06:27Z”- Note:
- Successful authentication to the AdministratorAccount clears the passwordFailureTimes list.
- Provide the information to the security organization.
- Clear the alarm:
(AdministratorAccount=la-admin)>clearFailedAuthenticationAlarm
- Job is completed.