Novell Home

Investigating Intruder Lockout History

Novell Cool Solutions: Tip
By Stephen Spalluto

Digg This - Slashdot This

Posted: 31 Jan 2007
 

Problem

In any network, you should know if someone is trying to gain unauthorized access. Novell provides a rather extensively configurable tool, "Intruder Lockout", which will lock down the account, but ConsoleOne only gives the last IP address of the attempted access. In most cases it's the legitimate user who calls you to say, "When I try to log in it says something like someone has tried to hack my account and it's locked up - who was it?". Therefore, the last IP from ConsoleOne may not be very useful for investigative purposes.

Solution

I found a simple and easy way to investigate "Intruder Lockout" history.

1. Activate the reporting of "Failed Login Per Hour" in Health Monitor using Remote Manager (https://<yourserver>:8009) on each server to which users authenticate.

This lists each and every recent failed login attempt giving user account name, IP address, date and time.

2. If you want, you can even set it to e-mail the triggered monitor report upon a certain threshold (default of 4 attempts) to you and if you have "Notify" activated in GroupWise you will be notified as it happens.

3. Use the DNS\DHCP utility to find the computer name, which you can name by location from the IP address.

You therefore have a direct trace to the computer where the failed attempt(s) occurred, and if investigated quickly enough, the issue can often be solved as it happens. If a student is indeed playing around with accounts unauthorized and is confronted, I find news spreads quickly, and the instances diminish if not disappear altogether quickly - at least for a while ...

Example

Short version of a very quick and easy setup:

1. Enable "Intruder Lock Out" at a user account container level using ConsoleOne.

2. Activate Server Health Monitor in Remote Manager to record and notify you of "Failed Logins Per Hour."

3. Set up the mail notification when triggered.

4. View the history from the notify or read it in Remote Manager and trace the source from the IP using DNS\DHCP Console if using DHCP.

Environment

  • Netware 6.5
  • Remote Manager
  • ConsoleOne 1.3.6
  • DNS/DHCP Management Console (if using DHCP)


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell