Switching

Expand all | Collapse all

Event Trap for SSH and Web fail attempt

Jump to Best Answer
  • 1.  Event Trap for SSH and Web fail attempt

    Posted 11-05-2011 16:08
    We need configure the switch (EX2200) to send SNMP traps for the following error conditions:
    - a user authentication failure
    - a user authentication failure retries exceed.

    We configured the switch with a event-options policy but the user authentication
    failure message is sending only when we connect by console.

    We use the following

    policy AuthFail
    events web_auth_fail web_webauth_auth_fail
    then
    raise trap

    Could you indicate me how is the correct configuration that we must commit?

    Thanks a lot in advance. Graciela

    #eventtrap


  • 2.  RE: Event Trap for SSH and Web fail attempt

     
    Posted 11-15-2011 04:57

    Hi Graciela,

     

    For some reason it looks like SSHD does not generate the sshd_login_failed_limit in 10.4 on either EX or SRX (just tried both).

     

    What I ended up having to do to get this to work was match against the syslog output eg:

     

    event-options {
        policy SSH-AUTH-ERRORS {
            events SYSTEM;
            attributes-match {
                system.message matches "Disconnecting: Too many password failures for .";
            }
            then {
                raise-trap;
            }
        }
    }

     The above policy will trap after three failed SSH login attempts.  If you want to trap after each attempted login instead, match against the string "Failed password for" instead.

     

    To log failed logins via J-Web, just set events to web_auth_fail - this should trigger after each login attempt.  

     

    Hope this helps



  • 3.  RE: Event Trap for SSH and Web fail attempt
    Best Answer

    Posted 11-29-2011 10:05

    Hi, thanks for your answer.

    I tried your suggestion and it is a good solution for my issue.

     

    Thanks!! Graciela.