Home

Results 1 to 5 of 5

Thread: Forgotten Password Challenge - fail 3 times, do action?

Hybrid View

  1. #1
    Join Date
    Dec 2007
    Location
    Brooklyn, NY
    Posts
    6,213

    Forgotten Password Challenge - fail 3 times, do action?

    I have a customer with a requirement that after three Forgotten Password
    attempts (answer 3 challenge questions) that fail, to perform an action.
    (Specifically send an email).

    But looking through the UI I am not seeing any way to trigger intruder
    detection like functionality on failed Challenge Response. Secondarily,
    I do not see any On Failure action. I do see there are post success
    Actions, which is useful. Be nice to see that extended to on failure as
    well.

  2. #2

    Re: Forgotten Password Challenge - fail 3 times, do action?

    A few silly thoughts:

    First, I presume you're NOT using the backend system for intruder
    detection, as that could detect this (if eDirectory at least) as well as
    other types of intruder attempts (the more-traditional authentication via
    a password) and could, then, act on that. Sending those events to
    Sentinel could get an action generated.

    If not using eDirectory you could perhaps still use the SSPR auditing
    functionality to send audits to Sentinel (or related) and then act on them
    there. I do not know if an intruder detection from SSPR is audited, but
    it seems like a likely candidate for auditing.

    Finally, if logging is set correctly I'd bet something shows up there, so
    you could setup something to monitor that and then generate an event
    (whatever you wanted; bash is powerful) to be sent to whatever outside
    system. Obviously, this is only meant to be an option assuming nothing
    above works.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  3. #3
    Join Date
    Dec 2007
    Location
    Brooklyn, NY
    Posts
    6,213

    Re: Forgotten Password Challenge - fail 3 times, do action?

    On 5/15/2015 2:22 PM, ab wrote:
    > A few silly thoughts:
    >
    > First, I presume you're NOT using the backend system for intruder
    > detection, as that could detect this (if eDirectory at least) as well as
    > other types of intruder attempts (the more-traditional authentication via
    > a password) and could, then, act on that. Sending those events to
    > Sentinel could get an action generated.


    Does it trigger intruder lockout, when you try the Challenge Response
    and fail? I am not so confident. I see there is a Bad Password
    Simulation setting that I took to mean simulates password attempts on
    login attempts, not Challenge Response, but maybe that is what is the
    purpose.

    I can detect Intruder lockout in a driver and send an email, so if that
    works, it could suffice.

    > If not using eDirectory you could perhaps still use the SSPR auditing
    > functionality to send audits to Sentinel (or related) and then act on them
    > there. I do not know if an intruder detection from SSPR is audited, but
    > it seems like a likely candidate for auditing.
    >
    > Finally, if logging is set correctly I'd bet something shows up there, so
    > you could setup something to monitor that and then generate an event
    > (whatever you wanted; bash is powerful) to be sent to whatever outside
    > system. Obviously, this is only meant to be an option assuming nothing
    > above works.
    >



  4. #4

    Re: Forgotten Password Challenge - fail 3 times, do action?

    On 05/15/2015 01:32 PM, Geoffrey Carman wrote:
    > On 5/15/2015 2:22 PM, ab wrote:
    >> A few silly thoughts:
    >>
    >> First, I presume you're NOT using the backend system for intruder
    >> detection, as that could detect this (if eDirectory at least) as well as
    >> other types of intruder attempts (the more-traditional authentication via
    >> a password) and could, then, act on that. Sending those events to
    >> Sentinel could get an action generated.

    >
    > Does it trigger intruder lockout, when you try the Challenge Response and
    > fail? I am not so confident. I see there is a Bad Password Simulation
    > setting that I took to mean simulates password attempts on login attempts,
    > not Challenge Response, but maybe that is what is the purpose.
    >
    > I can detect Intruder lockout in a driver and send an email, so if that
    > works, it could suffice.


    A challenge/response failed attempt via NMAS will cause intruder detection
    in eDir (if configured) to catch that failed login just like any other.
    If you are using SSPR's own challenge/response functionality (which works
    regardless of backend) then, of course, you cannot rely on eDir/NMAS stuff.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  5. #5
    jrivard is offline Micro Focus Employee - Ultra Contributor
    Join Date
    Sep 2008
    Posts
    73

    Re: Forgotten Password Challenge - fail 3 times, do action?


    > fail? I am not so confident. I see there is a Bad Password

    Simulation
    > setting that I took to mean simulates password attempts on login

    attempts,
    > not Challenge Response, but maybe that is what is the purpose.


    The Bad Password Simulation simulates a bad verification attempt during
    forgotten password will cause the directory to see a login with an
    incorrect password. Thus, if your directory has intruder-lockout set to
    three and and attempts to enter challenge/response answers several times
    incorrectly it should trigger the directory lockout.


    --
    jrivard
    ------------------------------------------------------------------------
    jrivard's Profile: https://forums.netiq.com/member.php?userid=541
    View this thread: https://forums.netiq.com/showthread.php?t=53496


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •