Service Account Keeps Getting Locked Out After Multiple Attempts

Latest response

I have a service account that does vuln scanning that keeps getting locked out of a RHEL5 server. For some reason it makes multiple attempts to try and log in and in the process always seems to get locked out.

This vuln scanning software has a service account on this server and the password is set to expire every 180 days. I know the password is good, as I can log in with that service account to test it.

/var/log/secure shows me the multiple attempts that it makes and fails at.

If I look at last and grep on that service account and don't see an entry there.

I'm just wondering if there is a good way to troubleshoot this and figure out why this is happening?

thanks

CM
Log in to join the conversation

Responses

R. Hinton.'s picture Guru 10133 points
8 February 2018 9:16 PM

Hi Chris,

From what you posted, it seems you can ssh to the system with the userid password which you know. When you did that, did you buy chance do the ssh from the system that's running the vulnerability scanning software? Is there any chance there are saved credentials in the vulnerability scanning software (that might be incorrect for some reason)?

Can you go to the system where the vulnerability scanning is occurring, attempt a one-time scan through the specific software's interface and enter the password manually? We did this where we worked and it helped, someone had copied/pasted a password and it brought an additional character they didn't expect. Not saying this is the case in your scenario.

I'm on my way to a class, hope this sorts out for you

-RJ

CM Expert 1105 points
9 February 2018 12:24 AM

I don't believe the passwords are cached in any way on the system that does the vuln scan. However we will investigate, try what you recommend and report back.

The reason I say this is that as soon as I unlock the service account on the RHEL server, the vuln scan continues like nothing happens (using passwd -u and pam_tally2 -u service_account_name_goes_here -r commands).

The only odd thing is that the vuln scanner continues to try to log in, even though it has entered the correct password. We are thinking is that there are software plugins that are used to conduct scanning, and for each plugin, it might need to log in for each.

The odd thing is that this is only happening on the RHEL5 VMs, not on the RHEL6 VMs.

R. Hinton.'s picture Guru 10133 points
9 February 2018 4:45 AM

Chris,

Is there anything useful at all in the /var/log/{secure,messages} logs (performing a tail -f /var/log/{messages,secure} on the system being scanned while from the scanning system it is attempted? Maybe rotate the logs prior with logrotate -v -f /etc/logrotate.conf and logrotate -v -f /etc/logrotate.d/syslog just so you have fresh logs to view.

Any chance the system performing the scan is on a new subnet that is not within /etc/hosts.allow??? But since the account is locked...

Did anyone (to borrow Tom Jones' questions from another thread) dork up SELinux labels or ssh-related users/groups, or perhaps any changes to iptables/ip6tables? (The latter might be possible, the former less likely since you can ssh to it otherwise.)

What happens (if the system attempting the scan is Linux) an authorized user runs ssh -q knowngooduser@targetsystem 'hostname' is ran from the system doing the vulnerability scanning?

The thing that seems (at least to me) point to the system performing the scanning is the fact you can log in (I assume maybe) elsewhere with the proper userid/password. I have one customer that has a vulnerability scanner that they can install on a system, and save the password (can not be viewed after save), and they entered it wrong, even though they copied/pasted, they had an extra character they weren't banking on. However this doesn't seem to be your case...

How is the authentication (if you can say here or not), is it using local accounts, NIS, an exotic version of 3rd party LDAP (rhel5 was rather challenging to get LDAP to work without 3rd party solutions).

We had some RHEL 5 systems at one time that when the domain controller would run out of space for its system logs, it would fail for authentication. The 3rd party LDAP solution we had was tied to one specific domain controller. If that DC was not available for whatever reason, authentications would fail. However since you can seem to log in otherwise, this doesn't seem likely.

Some questions... 1) is the system performing the scan Linux or another OS? 2) If it is Linux, is there any chance there are host keys on that vulnerability scanner that needs to be accepted for that user since the host keys changed? 3) Is there any chance the permissions on the .ssh directory or subordinate files in that directory changed if ssh keys are involved? However it seems you're using a userid/password, and not ssh keys.

Is there anything in the /etc/bashrc file or /etc/profile that would cause an abnormal exit (on the system being ssh'd to)? Or did someone add some echo statement? I can't immediately remember, but one time (many years ago) I accidentally polluted either the /etc/bashrc or /etc/profile (can't remember which) with some echo statement with a reminder, but it thwarted logins, and I removed it and logins were restored... less likely since you can ssh to it otherwise.

Hope this gets sorted out. Perhaps if you can, run an strace command prior to the ssh action, if that is even feasible and shunt the output to a file for analysis. Some do tcpdumps and analyze with wireshark if appropriate.

Wish you well with this Chris,

-RJ

CM Expert 1105 points
9 February 2018 7:24 PM

The vuln scanner is on some sort of RHEL6, physical system, which is in our data center, which is close by.

We are looking into using public/private ssh keys instead of a password.

I think it is safe to say that there is nothing under /etc/profile or /etc/bashrc, because we have other service accounts that log in and do what they need to do and don't have any issues.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.