Knowledge Partner
Knowledge Partner
461 views

Forgotten Password Challenge - fail 3 times, do action?

I have a customer with a requirement that after three Forgotten Password
attempts (answer 3 challenge questions) that fail, to perform an action.
(Specifically send an email).

But looking through the UI I am not seeing any way to trigger intruder
detection like functionality on failed Challenge Response. Secondarily,
I do not see any On Failure action. I do see there are post success
Actions, which is useful. Be nice to see that extended to on failure as
well.
0 Likes
4 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Forgotten Password Challenge - fail 3 times, do action?

A few silly thoughts:

First, I presume you're NOT using the backend system for intruder
detection, as that could detect this (if eDirectory at least) as well as
other types of intruder attempts (the more-traditional authentication via
a password) and could, then, act on that. Sending those events to
Sentinel could get an action generated.

If not using eDirectory you could perhaps still use the SSPR auditing
functionality to send audits to Sentinel (or related) and then act on them
there. I do not know if an intruder detection from SSPR is audited, but
it seems like a likely candidate for auditing.

Finally, if logging is set correctly I'd bet something shows up there, so
you could setup something to monitor that and then generate an event
(whatever you wanted; bash is powerful) to be sent to whatever outside
system. Obviously, this is only meant to be an option assuming nothing
above works.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Knowledge Partner
Knowledge Partner

Re: Forgotten Password Challenge - fail 3 times, do action?

On 5/15/2015 2:22 PM, ab wrote:
> A few silly thoughts:
>
> First, I presume you're NOT using the backend system for intruder
> detection, as that could detect this (if eDirectory at least) as well as
> other types of intruder attempts (the more-traditional authentication via
> a password) and could, then, act on that. Sending those events to
> Sentinel could get an action generated.


Does it trigger intruder lockout, when you try the Challenge Response
and fail? I am not so confident. I see there is a Bad Password
Simulation setting that I took to mean simulates password attempts on
login attempts, not Challenge Response, but maybe that is what is the
purpose.

I can detect Intruder lockout in a driver and send an email, so if that
works, it could suffice.

> If not using eDirectory you could perhaps still use the SSPR auditing
> functionality to send audits to Sentinel (or related) and then act on them
> there. I do not know if an intruder detection from SSPR is audited, but
> it seems like a likely candidate for auditing.
>
> Finally, if logging is set correctly I'd bet something shows up there, so
> you could setup something to monitor that and then generate an event
> (whatever you wanted; bash is powerful) to be sent to whatever outside
> system. Obviously, this is only meant to be an option assuming nothing
> above works.
>


0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Forgotten Password Challenge - fail 3 times, do action?

On 05/15/2015 01:32 PM, Geoffrey Carman wrote:
> On 5/15/2015 2:22 PM, ab wrote:
>> A few silly thoughts:
>>
>> First, I presume you're NOT using the backend system for intruder
>> detection, as that could detect this (if eDirectory at least) as well as
>> other types of intruder attempts (the more-traditional authentication via
>> a password) and could, then, act on that. Sending those events to
>> Sentinel could get an action generated.

>
> Does it trigger intruder lockout, when you try the Challenge Response and
> fail? I am not so confident. I see there is a Bad Password Simulation
> setting that I took to mean simulates password attempts on login attempts,
> not Challenge Response, but maybe that is what is the purpose.
>
> I can detect Intruder lockout in a driver and send an email, so if that
> works, it could suffice.


A challenge/response failed attempt via NMAS will cause intruder detection
in eDir (if configured) to catch that failed login just like any other.
If you are using SSPR's own challenge/response functionality (which works
regardless of backend) then, of course, you cannot rely on eDir/NMAS stuff.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Micro Focus Contributor
Micro Focus Contributor

Re: Forgotten Password Challenge - fail 3 times, do action?


> fail? I am not so confident. I see there is a Bad Password

Simulation
> setting that I took to mean simulates password attempts on login

attempts,
> not Challenge Response, but maybe that is what is the purpose.


The Bad Password Simulation simulates a bad verification attempt during
forgotten password will cause the directory to see a login with an
incorrect password. Thus, if your directory has intruder-lockout set to
three and and attempts to enter challenge/response answers several times
incorrectly it should trigger the directory lockout.


--
jrivard
------------------------------------------------------------------------
jrivard's Profile: https://forums.netiq.com/member.php?userid=541
View this thread: https://forums.netiq.com/showthread.php?t=53496

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.