Repeated failed login attempts by a user for Check Point

Vendor

Check Point

Description

Alert if a user is repeatedly trying to login unsuccessfully during the last hour.

Remediation Steps

Investigate from where the logins are originating from and take action to block the attempts if necessary.Check "/var/log/secure" on the device.

How does this work?

Count the number of failed logins for the last hour, using the information in /var/log/secure log file.

Why is this important?

Attackers often try to guess user passwords, in an attempt to get access to a device. Alerting to this behavior means that the administrator could take actions to limit or stop this.

Without Indeni how would you find this?

An administrator could login and manually read the file to count attempts.

View Source Code
single