Skip to content

Monitor failed login attempts and report anomalies.

389-LM-004 - severity: high

Field Value
Control ID 389-LM-004
Severity high
Type detective
Owner IT Operations
Status authored
NIST 800-53 AU-6, AC-7
DISA SRG SRG-APP-000503, SRG-APP-000360

Rationale

Brute-force and password-spray attacks against an LDAP directory manifest as bursts of bind operations returning LDAP result code 49 (LDAP_INVALID_CREDENTIALS). Because 389DS records each bind outcome - including the result code, client IP address, and target DN - in the access log, this log is the primary detection surface for credential-guessing campaigns. Without active monitoring and alerting on err=49 patterns, sustained attacks can proceed undetected until accounts are compromised, locked out, or exfiltrated credentials appear in external breach data. Early detection allows responders to block source IPs or trigger account lockout policy (389-AC-004) before accounts are taken over. This control satisfies NIST SP 800-53 AU-6 (audit review and analysis for security-relevant events) and AC-7 (unsuccessful login attempt limits and responses), and maps to DISA SRG-APP-000503 and SRG-APP-000360.

Check

Confirm that access logging is enabled so failed bind attempts (err=49) are recorded.

dsconf <instance> config get nsslapd-accesslog-logging-enabled

Expected: nsslapd-accesslog-logging-enabled: on

Remediation

Ensure access logging is on and alert on repeated failed binds.

dsconf <instance> config replace nsslapd-accesslog-logging-enabled=on
# then configure your monitoring/SIEM to alert on repeated 'err=49' bind failures in
# /var/log/dirsrv/slapd-<instance>/access

References

Implementation Notes

Access logging is on by default in 389DS but should be verified explicitly, as it can be disabled by an administrator. Enabling it does not require a server restart. The detection and alerting component of this control lives in the monitoring stack rather than in 389DS itself: configure your SIEM or log-analysis tool (shipped via 389-LM-003) to raise an alert when a source IP or target DN accumulates a threshold of err=49 entries within a rolling time window. High-volume deployments may need to tune nsslapd-accesslog-level or apply log buffering to manage the access log throughput; review 389DS documentation for log-level bitmask values before adjusting. Cross-reference with 389-IRM-002 for incident response procedures triggered by anomaly alerts from this control.