failed admin login attempt NOT recorded in system log

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

failed admin login attempt NOT recorded in system log

L4 Transporter

During a routine test,  we found out if failed attempt login with the admin name as root via ssh or console will not record to system log, but failedd  attempt login with other name via ssh or console will record to system log.

7 REPLIES 7

L6 Presenter

I'm running 4.1.8-1 and attempted login via ssh as 'admin' and 'root' and received syslog for both failed attemps as shown below.

2012/10/19 20:37:54info     general        auth-fa 0  User 'admin' failed authentication.  Reason: Invalid username/password From: 172.16.20

.24.

2012/10/19 20:37:51info     general        general 0  User root

failed authentication from 172.16.20.24

Are you using external authentication profile?  In my testing,  I am only using the local database.  I am not using any external authentication profile. 

No auth profile. I'm using the built in administrator 'admin' account in addition to the others listed below.

admin@renato(active)> show admins all

admin

panorama

oliver

As you can see, the following is a list of my local users not utilized for administrative logon accounts. Maybe we could take a closer look at your system to see the anomaly first hand?

admin@renato(active)# show shared local-user-database user

  homeadmin   homeadmin

  renato      renato

  ryan        ryan

login as: root

Using keyboard-interactive authentication.

Password:

Access denied

Using keyboard-interactive authentication.

Password:

Access denied

Using keyboard-interactive authentication.

Password:

login as: oliver

Using keyboard-interactive authentication.

Password:

Access denied

Using keyboard-interactive authentication.

Password:

login as: panorama

Using keyboard-interactive authentication.

Password:

Access denied

Using keyboard-interactive authentication.

Password:

Time           Severity Subtype Object EventID ID Description

===============================================================================

2012/10/20 09:59:08info     general        general 0  User root

failed authentication from 172.16.20.24

2012/10/20 09:58:38info     general        general 0  User root

failed authentication from 172.16.20.24

2012/10/20 09:58:08info     general        general 0  User panorama

failed authentication from

2012/10/20 09:58:00info     general        auth-fa 0  User 'panorama' failed authentication.  Reason: Invalid username/password From: 172.16

.20.24.

2012/10/20 09:57:55info     userid         connect 0  ldap cfg pa200 connected to server 172.16.20.7:389, initiated by: 172.16.20.254

2012/10/20 09:57:38info     general        general 0  User oliver

failed authentication from

2012/10/20 09:57:19info     general        auth-fa 0  User 'oliver' failed authentication.  Reason: Invalid username/password From: 172.16.2

0.24.

ernest@PA-200> show admins all

panorama

ernest

ernest@PA-200>

ernest@PA-200> show config running

config {

  mgt-config {

    users {

      ernest {

        permissions {

          role-based {

            superuser yes;

          }

        }

        authentication-profile admin-local-ap;

      }

    }

  }

    authentication-profile {

      admin-local-ap {

        method {

          local-database;

        }

        allow-list all;

        lockout {

          lockout-time 5;

          failed-attempts 3;

        }

      }

    }

PA-200 login: root

Password:

Login incorrect

login: root

Password:

Login incorrect

login: root

Password:

Login incorrect

login: root

Password:

ernest@PA-200> show log system direction equal backward

Time                Severity Subtype Object EventID ID Description

===============================================================================

2012/10/20 13:04:06 info     general        general 0  User ernest logged in via CLI from

2012/10/20 13:04:05 info     general        auth-su 0  User 'ernest' authenticated.   From: (null).

2012/10/20 13:03:06 info     general        general 0  User ernest logged out via CLI from Console

2012/10/20 13:01:02 info     general        general 0  User ernest logged in via CLI from

2012/10/20 13:01:01 info     general        auth-su 0  User 'ernest' authenticated.   From: (null).

no log of root at all..

No auth profile associated with this admin user so to mimic your config, I added the local user 'renato' as an administrator and using the localdb as my auth profile for said user. I still see syslogs for the 'root' user. Only difference I see with our config is that the 'admin' user is configured on my unit whereas it's not on yours.

renato@renato(active)> show admins all

admin

panorama

oliver

renato

config {

  mgt-config {

    users {

      admin {

      permissions {

          role-based {

            superuser yes;

          }

        }

renato {

        permissions {

          role-based {

            superuser yes;

          }

        }

        authentication-profile LocalDB;

      }

    }

  }

2012/10/20 16:05:45info     general        general 0   Accepted keyboard-interactive/pam for renato from 172.16.20.24 port 6960 ssh2

2012/10/20 16:05:39info     general        auth-fa 0  User 'renato' failed authentication.  Reason: Invalid username/password From: 172.16.20.24.

2012/10/20 16:05:27info     general        general 0  User renato logged in via CLI from 172.16.20.24

2012/10/20 16:05:26info     general        auth-su 0  User 'renato' authenticated.   From: 172.16.20.24.

2012/10/20 16:05:15info     general        general 0  User root

failed authentication from 172.16.20.24

Hmm,  not sure what to say, but I tested with 4.1.7 and 5.0.0 beta.  

Call into PAN Support so we can turn on some debugging features. If indeed a bug, we'll file one accordingly and investigate further.    

  • 4961 Views
  • 7 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!