HPE Community
Operating System - HP-UX
1753562 Members
6052 Online
108796 Solutions
New Discussion юеВ

How to log all invalid login attempts

 
Daniel McGee
New Member

тАО10-10-2007 04:27 AM

тАО10-10-2007 04:27 AM

How to log all invalid login attempts

Our auditors are asking us where they can find a log of all users that performed an invalid login to our system. Ithought I would find this in the syslog bhut when I lock a user after 5 invalid tries , I don't see anything in the syslog.
0 Kudos
8 REPLIES 8
Pete Randall
Outstanding Contributor

тАО10-10-2007 04:29 AM

тАО10-10-2007 04:29 AM

Re: How to log all invalid login attempts

Try the lastb command.


Pete

Pete
0 Kudos
Daniel McGee
New Member

тАО10-10-2007 04:36 AM

тАО10-10-2007 04:36 AM

Re: How to log all invalid login attempts

Hi Pete,
T he lastb command gives me all the lsat logins of all users but can it also give me the users that were locked after 5 tries ?
0 Kudos
Pete Randall
Outstanding Contributor

тАО10-10-2007 04:58 AM

тАО10-10-2007 04:58 AM

Re: How to log all invalid login attempts

Is this system trusted? Take a look at the getprpw command, in particular the "lockout" option.


Pete

Pete
0 Kudos
Steven E. Protter
Exalted Contributor

тАО10-10-2007 05:14 AM

тАО10-10-2007 05:14 AM

Re: How to log all invalid login attempts

Shalom,

Without a script or trusted system you are not going to get a record of locked out users.

I'll assume your system is trusted, because if you'd written a lastb script you would be able to change it to log the users that get locked out.

You can enhance system logging with the inetd -l to get additional information about bad logins in syslog.

passwd -sa will show you the status of users and may show locked or expired users. If your system is trusted take a look at it.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Daniel McGee
New Member

тАО10-10-2007 05:26 AM

тАО10-10-2007 05:26 AM

Re: How to log all invalid login attempts

Thanks Pete and Steven, I think that with a combination of the commands I should be able to give the auditors what they want !
0 Kudos
blah2blah
Frequent Advisor

тАО10-10-2007 08:16 AM

тАО10-10-2007 08:16 AM

Re: How to log all invalid login attempts

first you need to define what is a "login".
using telnet and rlogin probably is. But, are you running X, or have other hardwired access (terminal or modem)?

how about ftp, ssh, or remote access via SAM?

what about things like snmp, uucp, cron/at?

maybe not cronjobs, but what about jobs done via scheduler such as autosys or other 3rd party tools such as connect direct?

how about via management tools such as tivoli, unicenter, openview, etc.

what about your backup software?

and it also depends on what your using to do your logging. most unix command do their logging via syslog. but you need to configre them to send the information to the syslog and syslog needs to be configure as to which information it is going to log.

so, you need to define what is a login, check to see how those utilities are configured to do logging, and then check the logging facility to see if it configured log those events.
0 Kudos
Roberto Arias
Valued Contributor

тАО01-08-2008 07:28 AM

тАО01-08-2008 07:28 AM

Re: How to log all invalid login attempts

Hello Dani:

YOu can configured *.auth in syslog.conf for system's acces and then look for in the file auth.log the acces denied.

For ftp access you can activate xferlog in the same syslog.conf

best regards
The man is your friend
0 Kudos
Daniel McGee
New Member

тАО01-08-2008 11:08 AM

тАО01-08-2008 11:08 AM

Re: How to log all invalid login attempts

I will combine some of the solutions that were posted.

Thanks eveyone
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.