The VShell server supports the specification of a failed authentication trigger command. This command will run after the limit of failed authentication attempts has been reached for the current connection. For example, if a connection exceeds the limit of failed authentication attempts, this trigger can execute commands that cause specific information to be logged to a separate file, or even send email notifications.
To set up a failed authentication trigger command, open the VShell Control Panel and select the Common / Triggers category. Select the Authentication failed trigger, then press the Edit button. The Enable Trigger option must be enabled for the specified command to be executed upon an authentication failure event. The first field, which is required, is for the command that will be executed. This could be cmd.exe, a script, or some other executable. The second field is for any parameters that the command will use.
The authentication failed trigger supports the following command substitution variables:
%D -- Date of occurrence
%I -- IP address of user
%T -- Time of occurrence
%U -- User
If you're a system administrator, you may want more visibility or immediate notification when an authentication failure event occurs. Below is an example that shows how to set up an authentication trigger that will send an email notification of the failure event. This example uses a VBScript that takes parameters for the information pertaining to the failed authentication attempt (source IP, date, time, and username). The script will then send an email to the specified recipient with the failed authentication details. The script will also log this information to the file specified in the script. If the script encounters any fatal errors, they will be logged to the Windows Event Log.
Set up VShell's Authentication Failure Trigger Command to:
Set up VShell's Authentication Failure Trigger Parameters to:
"C:\VShellAuthFailureTriggerScript.vbs" %I %D %T %U
Here is the sample VBScript code for the Failed Authentication Trigger Script in its entirety: VShellAuthFailureTriggerScript.txt (for this script to work properly, you should save the file with a .vbs extension). You will also need to specify the source and destination email addresses and the SMTP server information in the script.
One early sign of a potential intrusion attempt is someone exceeding a specified number of logon attempts. With quick notification, an intrusion attempt can be deflected, saving recovery time and potential theft of critical data.
VShell's failed authentication trigger can help busy system administrators get quick notification about authentication failure events on their systems so that they can temporarily shut down an account for a specific user, or an IP address or range of IP addresses.
The failed authentication trigger initiates a command after a user exceeds the permitted number of logon attempts and can be used to send an email or pager notification to the administrator. This trigger provides the ability to embed IP address, time, and user information into the message. The trigger can also provide important history by logging failed authentication attempts to a separate log file.
When used with appropriate authentication methods, access controls, connection filters, and other Secure Shell variables, failed authentication triggers can help you implement an effective security policy.
For more information on using VShell's trigger commands, see the Triggers topic in the VShell Help.