CA PAM is receiving suspicious connection from 127.0.0.x
search cancel

CA PAM is receiving suspicious connection from 127.0.0.x

book

Article ID: 101499

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM)

Issue/Introduction

In case users are required to connect to a Jump server (in this case a Terminal Server is acting as a Jump server) and then launch CA PAM client and then connect to various devices as per the assigned policies, then users might get pop-up messages as described below.

In CA PAM, PUTTY is configured as TCP/UDP service, in this article Putty is being used as an example, the problem described in here is valid for any TCP/UPD service.

The same PUTTY service is configured for multiple UNIX / Linux devices for users to connect to these devices.

Only the first user connecting to the terminal server is allowed to access all the UNIX / Linux devices.

Subsequent user’s who login to the same terminal server, connect to CA PAM Server, get the following pop-up message.


Bind Failure: The following loopback address could not be loaded

The First user as well would get the following message, when any subsequent user tries to establish a connection using the PUTTY service for any of the UNIX / Linux devices


Alert: CA PAM received suspicious incoming connection From 127.0.0.x  Do you want to continue?

This message alerts that First user that other users are as well trying to connect using the same PUTTY service to other devices.


When working in a multi-user environment on a single PC / Terminal Server in the past, other users on the PC / Terminal Server were able to tap into open port and hijack a session on the remote server. This 'Alert'  added the confirmation message to stop this and inform users they may be having this happen.


Is this as per design or this is a bug?

How to fix this, so that multiple users using the same PC / Terminal Server can access the same service, in this case PUTTY for connecting to the devices?

Environment

CA PAM server version 2.8.3 or higher
CA PAM server version 3.x.x  release
This can be either a stand alone server or a cluster environment.

Resolution

This is working as per design, in earlier versions of CA PAM, the Alert message was not available, hence the users were not aware if their session could be hijacked.

Solution is to Modify the Putty service ports and replace 22 with 22:* 

Using the Ports:* syntax will generate a new random port every time a user logs in.

LocalPort (Ports) is the local port over which the listener waits for connections on the local user desktop. Enter an * (asterisk) to let CA Privileged Access Manager set the value to any available port, this stops multiple users from ending up with the same port assigned to a service.


Update TCP/UDP service

Attachments

1558699959924000101499_sktwi1f5rjvs16jxs.png get_app
1558699958097000101499_sktwi1f5rjvs16jxr.png get_app
1558699956111000101499_sktwi1f5rjvs16jxq.png get_app