IBM Security Z Security

 View Only

  • 1.  Stopping repeated Logon Attempts with zSecure Alerts

    Posted Wed June 17, 2020 01:40 PM

    Recently, our Information Security Division contracted with another entity to exercise a penetration test against our production websites. They used a script with a tight loop to generate logon attempts with different USERIDs against our production websites.  These websites are the front end to our production DB2 subsystems on the mainframe. So, depending on how they tried to logon it sent access requests to our mainframe Shadow regions or to the mainframe LDAP (GLDITDS). This penetration test lasted for 39 ½ hours (over 3 million lines in SYSLOG and millions of lines the Shadow regions and the GLDITDS started tasks) before someone noticed what was happening.  All the Shadow regions and LDAP refused the logon attempts but it did not stop the attempts from continuing.  So, we are looking for ways to identify this situation and stop it as soon as possible.  We are looking at using the mainframe Message Flooding Facility, Communication Server/Network controls and zSecure for real time Alerts.  I'm trying to assist our access management team in setting up something in zSecure. 

     

    The messages that we saw were the like the following:

     

     

    SDBF      ICH408I USER(TEST    ) GROUP(PROD    ) NAME(HIGH LEVEL HQL      ) 065           ß Where SDBF is the Shadow region started task

    SDBF        LOGON/JOB INITIATION - REVOKED USER ACCESS ATTEMPT                                ß and the USERID changed repeatedly

     

    GLDITDS   ICH408I USER(ASDF    ) GROUP(        ) NAME(???                  ) 123                         ß Where GLDITDS is the LDAP started task  

    GLDITDS     LOGON/JOB INITIATION - USER AT TERMINAL          NOT RACF-DEFINED         ß and the USERID changed repeatedly

    GLDITDS   IRR012I  VERIFICATION FAILED. USER PROFILE NOT FOUND.        

     

    So, I would like to ask you if we could use the zSecure Alert to identify these attempts to logon with different USERIDs (either known or unknown)?  If so, which of the existing Alert options could we use?

    Under USER Alerts, I see "Logon by unknown user" and "Too many violations".

     

    Or, could we customize one for this situation?  Or would you recommend something else to address this situation?  Thank you for your assistance.           

     

    -----------------------------------------------------------------

    Randy Berggren

    Systems Programmer

    Texas Comptroller of Public Accounts

    LBJ Building 

    111 East 17th Street

    Austin, TX 78774

    phone: (512) 463-4196

    email: randy.berggren@cpa.texas.gov

     

     



  • 2.  RE: Stopping repeated Logon Attempts with zSecure Alerts

    Posted Thu June 18, 2020 03:47 AM

    Hi Randy,
    Very likely you don't have enough visibility about the details of the guessing attack on the mainframe.

    I guess that you simply see the frontend webserver trying to login many times in a row. If this is the case, you will not be able to distinguish a guessing attack like this one from just a period of heavy load. The mainframe will only see a bunch of requests coming from the frontend.

    The web application, on the other hand, can understand that there is only one source IP address (even better, session) trying to login as many times as possible. In this case, I recommend my customers to implement a fake timeout in the web application to slow down the logins. A legitimate user will not care if the login process takes 1 - 1.5 seconds.

    Another possibility is to implement a logic to increase this wait time every 10-ish failed login attempts. This will make the attack too costly for the attacker.

    I hope this helps,
     /David




    ------------------------------
    Davide Girardi
    Senior Cyber Security Consultant
    Truesec AB
    ------------------------------

    Original Message


  • 3.  RE: Stopping repeated Logon Attempts with zSecure Alerts

    IBM Champion
    Posted Mon June 22, 2020 04:15 AM
    Edited by Rob van Hoboken Mon June 22, 2020 04:15 AM
    Whereas it is true, as Davide pointed out, the IP address of the end-user is known only to the front-end web site, and not passed into the mainframe Shadow Region or LDAP, you could set up a custom defined alert to be, at least, aware or increasing numbers of incorrect passwords.

    zSecure Alert comes with a standard alert 1111 that identifies incorrect password attempts for the same user ID, exceeding a hard-coded threshold of 5 per 6 minutes.  Six minutes being the sum of the configurable collection interval (60 seconds) and averaging interval (600 seconds).  Out of the box, this alert should help you spot the white/black/red hat hacker when they pounce on the same user ID over and over.  A good hacker would evade this type of alert and return to the same user only after a a while.

    You could copy alert 1111 into a Custom alert and change a few things:

    1. Change the SELECT command to look only for your Shadow authentication servers:

      select event=racinit(1) jobname=(SDBF,GLDITDS)

    2. Change the summary fields to ignore the USERID and NAME value, adding the (max) modifier to all mentions of these field names:

      / ' User'(18) user(max) name(max),

    3. Change the alert description with text that makes sense to the SOC team:

    )SETF C2PXNAME = &STR(Logon_Invalid_Password)
    )SETF C2PXMSG = &STR('Invalid password attempts through' jobname(0) 'exceeds limit')
    )SETF C2PXDES = &STR('Excessive number of password attempts through remote authentication')


    ------------------------------
    Rob van Hoboken
    ------------------------------