topic Re: unknown user-id login count limit in Operating System - HP-UX

unknown user-id login count limit

Melody Pulling — Tue, 09 Sep 2003 15:48:13 GMT

Is there a way to set a limit on the number of times an unknown user-id (does not exist) tries to log in? Similiar to the failed login count for a known user-id...

Thank you!
Melody

Re: unknown user-id login count limit

Steven E. Protter — Tue, 09 Sep 2003 15:55:07 GMT

You should not let an unknown user log in at all, but her goes.

Find out what ip address they are logging into.

inetd -l

That will enhance logging.

look at /var/adm/syslog/syslog.log

Then create or modify a file called

/var/adm/inetd.sec

Block access to that IP address.

I'm attaching my file so you can see the syntax. It has been purified.

SEP

Re: unknown user-id login count limit

Mark Grant — Tue, 09 Sep 2003 15:55:15 GMT

I think the problem here is what are you going to do when you reach this limit? Are you going to stop putting a "login" message on the screen, are you going to disable the terminal.

I don't think you can do what you are asking here simply because I'm not sure there isn't much you can do with the information, you can't lock the account because there isn't one and you can't log them out as they aren't logged in.

I may be missing something obvious though.

Re: unknown user-id login count limit

Pete Randall — Tue, 09 Sep 2003 15:56:15 GMT

Melody,

If it's an unknown user id (by this I assume you mean that it does not exist in the password file/database), then it never gets logged in - why would you care?

Pete

Re: unknown user-id login count limit

Melody Pulling — Tue, 09 Sep 2003 16:14:03 GMT

Sorry for any confusion. We are trying to address an audit item. Urf, I didn't state the "why" and "result" we are looking for. Should an unknown user-id (does not exist in passwd file) try to log in more than 3 times, say via telnet, their telnet session should be terminated. The default seems to be 10 failed attempts before their session is terminated.

For a known user we have it set to 3 failed attempts but the result is that their account is then locked.

Re: unknown user-id login count limit

Mark Grant — Tue, 09 Sep 2003 16:26:49 GMT

This is going to be really tough. You may be able to get the info from the syslog but you somehow have got to get the "login" program to do the counting, Then you have to kill the associated telnetd which might be a bit tricky too because you can't key on ip address as there might be several people using the same ip address to telnet to you some of whom may be legit.

The only way I can see this being possible is to write your own "login".

To be honest, what's the point anyway, you can kill the telnet session but that doesn't stop them telnetting right back to you.

Re: unknown user-id login count limit

Melody Pulling — Tue, 09 Sep 2003 16:38:19 GMT

Thank you ALL very much for your time and replies.

Mark,

Thank you! That is what I thought but had to confirm it for our auditing department.

:-)

Have a great day.
Melody