Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 6.11.1 - Administration Guide

Preface Introduction The concepts of One Identity Safeguard for Privileged Sessions (SPS)
The philosophy of One Identity Safeguard for Privileged Sessions (SPS) Policies Credential Stores Plugin framework Indexing Supported protocols and client applications Modes of operation Connecting to a server through One Identity Safeguard for Privileged Sessions (SPS) Archive and backup concepts Maximizing the scope of auditing IPv6 in One Identity Safeguard for Privileged Sessions (SPS) SSH host keys Authenticating clients using public-key authentication in SSH The gateway authentication process Four-eyes authorization Network interfaces High Availability support in One Identity Safeguard for Privileged Sessions (SPS) Versions and releases of One Identity Safeguard for Privileged Sessions (SPS) Accessing and configuring One Identity Safeguard for Privileged Sessions (SPS)
Cloud deployment considerations The Welcome Wizard and the first login Basic settings
Supported web browsers and operating systems The structure of the web interface Network settings Configuring date and time System logging, SNMP and e-mail alerts Configuring system monitoring on SPS Data and configuration backups Archiving and cleanup Using plugins Forwarding data to third-party systems Starling integration
User management and access control Managing One Identity Safeguard for Privileged Sessions (SPS)
Controlling One Identity Safeguard for Privileged Sessions (SPS): reboot, shutdown Managing Safeguard for Privileged Sessions (SPS) clusters Managing a High Availability One Identity Safeguard for Privileged Sessions (SPS) cluster Upgrading One Identity Safeguard for Privileged Sessions (SPS) Managing the One Identity Safeguard for Privileged Sessions (SPS) license Accessing the One Identity Safeguard for Privileged Sessions (SPS) console Sealed mode Out-of-band management of One Identity Safeguard for Privileged Sessions (SPS) Managing the certificates used on One Identity Safeguard for Privileged Sessions (SPS)
General connection settings HTTP-specific settings ICA-specific settings MSSQL-specific settings RDP-specific settings SSH-specific settings Using Sudo with SPS Telnet-specific settings VMware Horizon View connections VNC-specific settings Indexing audit trails Using the Search interface Advanced authentication and authorization techniques Reports The One Identity Safeguard for Privileged Sessions (SPS) REST API One Identity Safeguard for Privileged Sessions (SPS) scenarios Troubleshooting One Identity Safeguard for Privileged Sessions (SPS) Using SPS with SPP Configuring external devices Using SCP with agent-forwarding Security checklist for configuring One Identity Safeguard for Privileged Sessions (SPS) Jumplists for in-product help Configuring SPS to use an LDAP backend Glossary

Protecting against brute-force attacks

This section provides detailed information on the Protect against brute-force attacks option that is available on SPS, on Basic Settings > Local Services > Web login.

NOTE: You can configure the Protect against brute-force attacks option only under Web login (admin and user), but these settings are inherited by the Web login (user only) settings too.

Operation of the Protect against brute-force attacks option

The web login addresses of administrators and users are, by default, protected against brute-force attacks: after the users reach the configured number of unsuccessful login attempts, SPS denies all following attempts for the configured time. You can turn this off by deselecting the Protect against brute-force attacks option for the web login addresses.

The Protect against brute-force attacks option blocks the user name or the IP address based on the following:

  • If the number of unsuccessful login attempts from the same IP address with any user name exceeds the threshold, the IP address is blocked.

  • If the number of unsuccessful login attempts with a user name from different IP addresses exceeds the threshold, the user name is blocked for all IP addresses.

The rejected authentication attempts that are made during the blocking do not increase the lockout counters.

NOTE: The admin user is also subject to brute-force attack protection.

The default operation of the Protect against brute-force attacks option is that after 20 unsuccessful login attempts, the user name or the IP address is blocked for 10 minutes.

Accepted values:

  • Attempt limit: 1-50 attempts

  • Lockout period: 1-720 minutes

During the blocking, the blocked users receive the Unable to authenticate error message both if valid or invalid credentials are entered.

NOTE: The Unable to authenticate error message does not provide more details about the error and the possible solutions so as not to provide more information if an attacker receives this error message.

Log messages about blocked user names and IP addresses

If a user name or an IP address is blocked, a log event is created, which provides the details about the blocking. The log event contains the following:

  • Cause of the blocking

  • User name

  • IP address

  • Duration of the blocking

Example: log message about a blocked user name

The following example provides the details about the blocking of a user name. The blocked user name is admin and the IP address used is 1.2.3.4 The reason for the blocking is that the user has exceeded the allowed number of unsuccessful authentication attempts. This user is blocked for 60 minutes.

Authentication denied, too many attempts, username is locked out; username='admin', remote_address='1.2.3.4', lockout='60 min'
Example: log message about a blocked IP address

The following example provides the details about the blocking of an IP address. The user is admin and the blocked IP address is 1.2.3.4 The reason for the blocking is that the allowed number of unsuccessful authentication attempts has been reached from this IP address. This IP address is blocked for 40 minutes.

Authentication denied, too many attempts, remote_address is locked out; username='admin', remote_address='1.2.3.4', lockout='40 min'
Unblocking blocked user names and IP addresses

The web lockout counter for a user name or IP address is reset if:

  • The lockout period is over.

  • The server is rebooted.

  • The secondary node becomes active after an HA failover.

  • After the root user clears the list of blocked users/IP addresses on the Troubleshooting page of the text-based physical or SSH console.

NOTE: If you are the root user, on the Troubleshooting page of the text-based physical or SSH console, you can clear the list of blocked user names and IP addresses using the Clear list of blocked users/IPs option. If you clear the list, users and IP addresses that previously were blocked due to exceeding the allowed number of web login attempts can attempt logging in again. Clearing the list does not disable the Protect against brute-force attacks option.

Configuring the Protect against brute-force attacks option

To configure the Protect against brute-force attacks option, on SPS, navigate to Basic Settings > Local Services > Web login.

Figure 55: Basic Settings > Local Services > Web login

For information on how to configure the web login for administrators and users, and as part of it, how to configure the Protect against brute-force attacks option, see section Configuring user and administrator login addresses.

Managing logical interfaces

You can assign logical interfaces to a physical interface. Each logical interface must have its own VLAN ID, and can have its own set of (alias) IP addresses and prefixes. The configured name for each logical interface is visible on One Identity Safeguard for Privileged Sessions (SPS)'s user interface only.

You can configure IPv4 and IPv6 addresses as well. IPv6 is intended for configuring monitored connections. Local services (including the web login) require IPv4 addresses. An interface can have multiple IP addresses, including a mix of IPv4 and IPv6 addresses.

NOTE: SPS does not support scenarios with two hosts using the same IP address on different VLAN groups.

To manage logical interfaces

  1. Navigate to Basic Settings > Network > Interfaces.

    Figure 56: Basic Settings > Network > Interfaces — Managing the logical interfaces

  2. If necessary, use the label on the SPS hardware to identify the physical interface to which you want to assign a logical interface.

  3. Choose to add a new logical interface. Provide the following:

    • VLAN: The VLAN ID of the logical interface. Optional.

      Caution:

      Do not set the VLAN ID unless your network environment is already configured to use this VLAN. Otherwise, your SPS appliance will be unavailable using this interface.

    • Address: The IP address of the logical interface.

      Alternatively, you can also enter a hostname instead. One Identity Safeguard for Privileged Sessions (SPS) automatically resolves the hostname to an IP address.

      NOTE: Note the following limitations:

      • SPS uses the Domain Name Servers set in the Basic Settings > Network > Naming > Primary DNS server and Secondary DNS server fields to resolve the hostnames.

      • If the Domain Name Server returns multiple IP addresses, SPS selects randomly from the list.

      NOTE: Do not use IP addresses that fall into the following ranges:

      • 1.2.0.0/16 (reserved for communication between SPS cluster nodes)

      • 127.0.0.0/8 (localhost IP addresses)

    • Prefix: The IP range of the logical interface.

    • Optional: To add additional (alias) IP addresses and prefixes to a logical interface, click . To remove an alias IP address, click the corresponding .

    • MTU: Maximum Transmission Unit (MTU) to set per network interface (VLAN or network interface card). The default value is 1500.

    • Name: The name of the logical interface. This name is visible on SPS's user interface only.

    To remove a logical interface, choose the on the right side.

  4. Click .

Routing uncontrolled traffic between logical interfaces

You can enable routing between logical interfaces, which allows you to direct uncontrolled traffic through SPS.

To enable routing between logical interfaces

  1. Navigate to Basic Settings > Network > IP forwarding.

    Figure 57: Basic Settings > Network > IP forwarding — IP forwarding between interfaces

  2. To add a new forwarding rule, choose and select the two logical interfaces to connect. You can select the same interface in both fields to use that logical interface in single-interface router mode.

    To delete an existing rule, choose .

  3. Click .

Configuring the routing table

The routing table contains the network destinations SPS can reach. You have to make sure that both the monitored connections, and the local services of SPS (including connections made to the backup and archive servers, the syslog server, and the SMTP server) are routed properly.

You can add multiple IPv4 and IPv6 addresses and address ranges along with their respective gateways.

To configure the routing table

  1. To add a new routing entry, navigate to Basic Settings > Network.

    You can add interface-specific network routes using the Advanced routing option of each interface. Otherwise, use the Routing table option to manage networking routes.

    Figure 58: Basic Settings > Network > Routing table — Routing

  2. Click , then enter the IP address and the network prefix into the Network field.

  3. Enter the IP address of the gateway used on that subnetwork into the Gateway field.

  4. Click .

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating