Remote Monitoring & Management Help

Failed Login Check

This Check scans the system authentication log - defaulting to /var/log/messages where no system authentication logs are found - failing where the number of failed login attempts in the previous 24 hours exceeds the threshold value.

The strings the Agent searches for are included in the file hacker_patterns which is downloaded to /usr/local/rmmagent as part of the installation and upgrade process.

hacker_patterns currently contains the following strings:

  • Authentication Failure
  • authentication failure
  • password check failed
  • incorrect password attempts
  • Invalid user
  • Failed publickey for invalid user
  • Failed password for invalid user
  • Failed keyboard-interactive for invalid user
  • Too many authentication failures
  • more authentication failures
  • not allowed because not listed in AllowUsers

Although we realize that on some devices there may be other strings you wish to search for - for example those created by a custom application - and these can be entered in the file hacker_patterns_custom also available in /usr/local/rmmagent/

Dashboard Check configuration

Add

  1. Select the device in the north pane of the Dashboard
  2. Go to the Checks tab
  3. Click Add Check
  4. Choose Add DSC Check > Failed Login Check
  5. Enter the Threshold value.

  6. Click OK to save and apply

Edit

  1. Select the device in the north pane of the Dashboard
  2. Go to the Checks tab
  3. Select the target Failed Login Check
  4. From the Check drop-down
  5. Click Edit Check (also available from the Check's right-click menu)
  6. Configure the settings
  7. Click OK to save and apply

Delete

  1. Select the device in the north pane of the Dashboard
  2. Go to the Checks tab
  3. Select the target Failed Login Check
  4. From the Check drop-down
  5. Click Delete Check (also available from the Check's right-click menu)
  6. Enter the password you have logged into the Dashboard under to confirm removal
  7. Click OK to delete

flc_dashboad_dialog

The Failed Login Check was previously known as the Hacker Check with this renamed in Dashboard v5.44.5 to more accurately reflect the Check's function.