SWIFT - VMWare - Vcenter - Authentication Brute Force” behavior from 10.214.206.120 (gdcpavc0053) and 10.214.206.124 (gdcpavc0057) with source user as “root”
Destination Host : <host>
Destination IP: <IP>
This incident occurred on Apr 24th and May 03rd. Did not happen again.
Release : 3.4
The issue only occured twice. Network team provided a report showing the root account tried to be verified against the PAM host every 1-5 second about 20 times. This seemed to trigger the network security team application and VMware of a possible DOS\brute force attack. Unfortunately, this was reported to support 2 months after the issue occurred. No logs or information from PAM on what might have occurred. It seems there was a network change or issue on those two dates. On those two dates, PAM was never down so logs may not have shown anything even if they existed.