Our instance of the OpenVAS scanner keeps locking our “root” account when running on one of our subnets. Is there a way to ensure this does not happen as part of the vulnerability scans? The internal alert we kept receiving: “Login attempt alert for from using SSH, IP will be blocked for 600 seconds.”
Here is our current setup (below).
Configuration:
-Port List: All IANA asigned TCP
-Alive Test: Scan Config Default
-Credentials: None specified (SSH has a dropdown menu for port 22, but nothing is selected).
Scan Tasks:
-Apply Overrides: Yes
-Min QoD: 70%
-Scanner: OpenVAS Default
-Scan Config: Full and Fast
Any assistance or guidance would be helpful as we’d like to utilize this tool. We were under the impression that the Full and Fast does not brute force as it appears to the be only (best) lightweight option.
The following comments have some background info why you shouldn’t do any changes on scanner side:
TLDR; Don’t weaken the scanner and instead configure the target device to not lock accounts in general but only based on the source IP.
If you still want to accept the risk of missing detection of weak / hardcoded default credentials (which is strongly discouraged) the second comment includes some additional info.
Hi CFI. Thank you for the kind reply. Our lockout settings are pretty standard with best practices. The machine in question appears to have been brute forced by OpenVAS with ~60 failed login attempts. We have never seen this before with any other scanner. Do you have any other suggestions (although it sounds like we could disable brute force NVTs)?