Knowledge Search


×
 

[SRX] How to generate SNMP traps for login authentication failures

  [KB23652] Show Article Properties


Summary:
This article provides information on how to generate the SNMP traps for authentication failures. This uses Event options pre-defined events for login failure:
 
  • sshd_login_failed

  • login_failed

  • login_pam_authentication_error 
Symptoms:
To provide more security and authentication, SNMP traps can be generated to the Management Host/Server; in the event of incorrect user credentials being used to SSH or Telnet to a SRX device.
Solution:
You can generate SNMP traps and intimate the Management Device of failed attempts to SSH or Telnet to a SRX device. The following device configuration can be used to generate the SNMP Traps for authentication failures. It uses a SSH user as an example.

Trap configuration
# show snmp
community public {
     authorization read-write;
     clients {
         192.168.1.0/24;
     }
}
trap-group t1 {
     destination-port 172;
     categories {
         rmon-alarm;
     }
targets {
    192.168.1.2;
}
}

Event Policy configuration
# show event-options
policy p1 {
     events [ sshd_login_failed login_failed login_pam_authentication_error ];
     then {
         raise-trap;
     }
}
The corresponding log messages are seen in the syslog file messages, as shown below:
show log messages
.
.
sshd[2952]: Accepted password for root from 192.168.1.2 port 1430 ssh2 <<< Successful login
login: Login attempt for user abc from host 192.168.1.2
login[2970]: LOGIN_PAM_AUTHENTICATION_ERROR: Failed password for user abc
The text highlighted in red indicates the failed authentication.
Modification History:
2018-12-13: Article reviewed for accuracy. No changes made. Article is correct and complete.
Related Links: