Enterprise Software

Lock IT Down: Keep out unwanted guests with Netware Intruder Detection

Implement Netware Intruder Detection as part of an overall security policy

Only the most incompetent network administrator would configure a network to allow users to access a server without entering both a user ID and password. Finding out valid user IDs is relatively easy. It's actually the passwords that do most of the work when it comes to blocking hackers.

Unless a hacker has a password-cracking utility, his or her only recourse is to play “guess the password” by continually entering password combinations until one works. You can quickly end the guessing game by enabling Intruder Detection on your NetWare server using both NetWare Administrator and ConsoleOne.

How does Intruder Detection work?
When you enable Intruder Detection, NetWare monitors every login attempt. If a user or hacker enters an incorrect password for an account, NetWare takes note of it. After a set number of bad login attempts, NetWare disables the account. This prevents hackers from repeatedly entering passwords until they find the right password to access the network.

By default, NetWare allows a user to enter up to seven incorrect passwords within 30 minutes before locking out the user account. The user account remains locked out for 15 minutes. After 15 minutes, NetWare enables the account again. NetWare also gives you the ability to adjust these defaults. You can make the Intruder Detection feature as flexible or as strict as you want.

Unfortunately, NetWare’s Intruder Detection feature can’t distinguish between a hacker and a user with a poor memory. NetWare will lock out forgetful users just as hard as it will the malicious hacker. So, when designing an Intruder Detection policy, don’t be too restrictive. If you are, you may spend a lot of time unlocking accounts.

Using NetWare Administrator
To enable Intruder Detection using the old reliable NetWare Administrator, log into your administration workstation as a user with Admin rights and start NetWare Administrator. Select the container where you want to set the Intruder Detection policy. Although you can set Intruder Detection from the root of the NDS tree, it may make more sense to set the policy at the organization or organizational unit (OU) level. Doing so will allow you to set multiple and independent Intruder Detection policies, giving you the capability to severely restrict one OU, while being more permissive with another.

Next, right-click the container object and select Details. When the Properties notebook for the container appears, click the Intruder Detection tab. You will see the screen shown in Figure A.

Figure A
You can enable Intruder Detection in NetWare Administrator.

Select the Detect Intruders check box. You’ll see the Incorrect Login Attempts field become available with a default value of seven, representing seven incorrect login attempts before Intruder Detection kicks in. You can set this value to any number you wish. An allowance of seven incorrect attempts is usually considered very generous. Some network administrators prefer a “three strikes” rule, so they set the value of Incorrect Login Attempts to 3.

The Intruder Attempt Reset Interval fields control the amount of time that NetWare should allow between the first bad login attempt and subsequent bad login attempts before reaching the Incorrect Login Attempts limit. The fields are broken down into the number of days, hours, and minutes you want the limit to last.

The maximum interval you can set is 999 Days, 23 Hours, and 59 minutes. However, setting such an interval would be silly. The default value is 15 minutes, which is a reasonable time frame. NetWare Administrator automatically adjusts time values for the fields if you go over the field’s maximum value. For example, if you enter in a value of 36 in the Hours field, the next time you go into the Intruder Detection page, you’ll see NetWare Administrator has adjusted the Hours field to 12 and added 1 to the Day field.

Select the Lock Account After Detection check box to temporarily disable the account. If you don’t select this check box, Intruder Detection will only log the bad attempts to the attacked user ID and not actually do anything about it. The Intruder Lockout Reset Interval controls the amount of time the user ID is locked out.

Like the Intruder Attempt Reset Interval, the Intruder Lockout Reset Interval is expressed in terms of days, hours, and minutes using the respective fields. The default interval is 15 minutes. This can be a good interval to keep because it discourages hackers from continuing to use the account, but doesn't make the lockout last so long that users call you asking you to reset their account.

However, if you’re concerned about security and want to know for sure when users are being attacked, setting a long lockout interval can become advantageous. This will cause forgetful users to call you asking you to unlock their account, which would bring any unauthorized attacks to your attention. Otherwise, the Lockout Reset interval may pass, and you wouldn’t be aware of any attack.

To reset a locked account or to view whether an account has been attacked, open the user object’s Properties notebook by right-clicking the object and selecting Details. When the Properties notebook appears, click the Intruder Lockout tab. You’ll see the screen shown in Figure B.

Figure B
NetWare Administrator shows the intruder status for a user.

If the account is locked, the Account Locked check box will be selected. To re-enable the account, clear the check box. Although you can’t change the information, the data on the rest of the page can be helpful in tracking down the source of the failed login attempts.

The Account Reset Time shows the amount of time before NetWare automatically re-enables the account. By counting backwards the amount of time you specified in the Intruder Lockout Reset Interval, you can determine when the lockout occurred. This can help identify whether or not the account was locked due to a forgetful user or a potential hacker. For example, if an employee who normally works weekdays is locked out at midnight on a weekend, you might suspect that a hacker or other malicious user caused the lockout.

The Last Intruder Address field can help you determine which workstation caused the lockout. This field will display both IPX and TCP/IP login information. By comparing this address with your records, you can hunt down the workstation and take further action if the workstation that caused the lockout isn’t the one normally accessed by the user who was locked out.

Using ConsoleOne
While most NetWare admins are familiar with NetWare Administrator when performing administration duties, ConsoleOne can perform these tasks, including dealing with Intruder Detection, just as easily. For this section, we’ll use Console 1.3.3 under Linux. For more information about ConsoleOne under Linux, see the Daily Drill Down "ConsoleOne 1.3.3 adds NetWare administration powers to Linux."

ConsoleOne functions very similarly to NetWare Administrator. Start ConsoleOne on your server or administration workstation. Authenticate to your NDS tree by selecting the NDS tree in ConsoleOne’s left pane and selecting Authenticate from the File menu. Enter the user ID and password for the Admin account or a user with Admin rights in the Login window that appears.

When the NDS tree loads, select the container object where you want the Intruder Detection policy to be located. Right-click the object and select Properties. You’ll see the Properties Notebook for the object appear.

Click the General tab. In the upper right hand corner of the General tab, you’ll see a triangle. This indicates that there are subscreens to the tab. To get to the Intruder Detection window, select Intruder Detection from the General menu, which you’ll see when you click General again. Then you’ll see the screen shown in Figure C.

Figure C
You can also set Intruder Detection from ConsoleOne.

At this point, ConsoleOne works just like NetWare Administrator. Set the values for the Intruder Detection fields and check boxes to customize how NetWare will react to intruders. Click OK to save your changes and close the window.

To unlock a locked-out user or to view intruder information for a user in ConsoleOne, right-click the user object in the NDS tree and select Properties. When the Properties notebook for the user appears, click the Restrictions tab. You'll need to click the Restriction tab a second time. Then, select Intruder Lockout and you’ll see the screen shown in Figure D.

Figure D
ConsoleOne allows you to unlock and view intruder information for a user.

This page works exactly like the Intruder Lockout tab in NetWare Administrator. You can re-enable a user by deselecting the Account Locked check box. The rest of the screen gives information about the lockout that you can use to track down the cause of the lockout.

Intruder alert!
Although setting Intruder Detection on your network may result in phone calls from users who forget their passwords and accidentally lock themselves out of the network, it will also prevent hackers from guessing user passwords and accessing your network. If you’re in an environment where security is key, a couple of extra phone calls are worth the effort, especially since Novell makes it easy to enable Intruder Detection.


Editor's Picks