GEN:SID | 1:492 |
Message | INFO TELNET login failed |
Summary | This event is generated when an unsuccessful login attempt was made via telnet.
|
Impact | Possible unauthorized access via password brute-forcing
An attacker may have attempted to gain access to a valid user's account via the telnet service, but did not succeed. The telnet service is running, which uses insecure authentication mechanisms.
|
Detailed Information | A user tried to log on to a system via telnet, but has been rejected, either due to invalid username, password, or both. This could mean someone is trying to log on without proper password (if there are multiple unsuccessful logins) or they may have just mistyped the username or the password.
The telnet server typically runs on TCP port 23. Upon access to the server, account access is granted based on an unencrypted user name and password. Upon a failed login (resulting from either an invalid account or an incorrect password), a login failure message will be returned. This rule matches the common text "Login failed".
|
Affected Systems | Any system running a telnet server.
|
Attack Scenarios | Attackers can, particularly when armed with a valid account name, attempt to use guessing attacks or brute-force means to gain access via the telnet service. Many successive events of this type would likely be indicative of such an attack.
The use of a telnet server allows the passive attack of traffic sniffing, which can extract a username and password from any valid login.
|
Ease of Attack | Simple.
This event indicates it is possible to perform a brute-force attack; the ease of such an attack is dependent upon the strength of passwords, and rate-limiting techniques employed by the telnet server in question.
|
Corrective Action | Check how many invalid attempts occurred, change the password of the user that tried to log in.
It is best to avoid using telnet whenever possible; its authentication system is lacking, and encryption is generally unavailable. If your telnet server can be configured to temporarily disable access after rapid successive failures, it as advised that you do so.
|
Additional References | Telnet RFC: http://www.faqs.org/rfcs/rfc854.html
|