Q

Capturing the source of login attempts

One piece of security at the application level is an additional log-in process. It would be desirable to be able

to capture the source of each log-in attempt, whether an IP address, port, Unix tty, etc. The objective would be for the application to track the source of log-in attempts and provide an alert to a Systems Administrator if more than 'n' failed log-in attempts occur within 'p' minutes from the same source. Access to this type of information is probably a function of the underlying Operating System and/or Network Operating System (NOS). Can you talk about what type of source information could be available to an application (using O/S calls) for various OS and/or NOS?


This is going to be highly dependent on the Operating System being used. Since you said application level, we will assume that you have an adequate solution to this problem for system-level login, using exactly the type of information you mentioned (i.e. port, IP, tty, etc.).

If the application is Apache Web-based, there are environment variables that can give you a wealth of information. These include REMOTE_ADDR, REMOTE_HOST, and REMOTE_PORT. The page at http://www.devdaily.com/perl/edu/articles/pl020001.shtml gives a CGI script that will print every environment variable that the server knows. Obviously, you wouldn't want to just print these to the user's screen, but you could change the script to log them, and then have some other application scan the log for the patterns that you are worried about. Other Web-servers have similar environment variables.

For actual applications in an operating system environment, your answer will depend on the audit capabilities. You should be able to log who tried to start an application at a particular time. If the application logs login failures, you should be able to correlate the two logs. Whether a script could be written to do that in an automated fashion is an exercise left to the reader. :)

In a network environment with login to a domain, it should be possible for an application to determine where the login attempt came from, but that would be dependent upon what type of network how that would be done.

I apologize for not being more specific about particular system calls that could do this, but I do not have the level of knowledge required to help with that.


For more information on this topic, visit these other SearchSecurity.com resources:
Best Web Links: Infrastructure & Network Security
News & Analysis: How to boost network logon security


This was first published in December 2002

Dig deeper on Password Management and Policy

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close