https://community.hpe.com/t5/operating-system-hp-ux/catching-users/m-p/3130346#M152891 if you use last -R yuo will get the IP@<BR /><BR />man last<BR /><BR />Rgds,<BR />Jean-Luc Thu, 27 Nov 2003 09:49:36 GMT Jean-Luc Oudart 2003-11-27T09:49:36Z https://community.hpe.com/t5/operating-system-hp-ux/catching-users/m-p/3130345#M152890 I have a situation with one of my users where I believe they are logging in using a different user id to gain greater access to our systems. I really need to see historically where particular users were logged in (using IP address) at a point in time. The 'last' command doesn't seem to give me the IP address where the user was logged in, is there any way I can match an IP address with a user historically ?? I realise it's a long shot but it would be really useful !<BR /><BR />Does wtmp hold any valuable info ?<BR /><BR />All help rewarded !!!<BR /><BR />Thankyou <BR />Simon Thu, 27 Nov 2003 09:47:15 GMT https://community.hpe.com/t5/operating-system-hp-ux/catching-users/m-p/3130345#M152890 Simon R Wootton 2003-11-27T09:47:15Z https://community.hpe.com/t5/operating-system-hp-ux/catching-users/m-p/3130346#M152891 if you use last -R yuo will get the IP@<BR /><BR />man last<BR /><BR />Rgds,<BR />Jean-Luc Thu, 27 Nov 2003 09:49:36 GMT https://community.hpe.com/t5/operating-system-hp-ux/catching-users/m-p/3130346#M152891 Jean-Luc Oudart 2003-11-27T09:49:36Z https://community.hpe.com/t5/operating-system-hp-ux/catching-users/m-p/3130347#M152892 As an extra note to the above reply, tracking back to an IP address may not prove anything if the address is part of a DHCP pool. <BR /><BR />If you use static addresses, you should be OK though (unless your users are smart enough to change their IP address too before logging in). Thu, 27 Nov 2003 09:54:50 GMT https://community.hpe.com/t5/operating-system-hp-ux/catching-users/m-p/3130347#M152892 Chris Wilshaw 2003-11-27T09:54:50Z https://community.hpe.com/t5/operating-system-hp-ux/catching-users/m-p/3130348#M152893 This sounds fairly serious so you may need to take drastic actions once you discover the abusers. I would start by changing the password on the compromised login acctounts, notifying the real owner of the account to never share a password and depending on your company's security policy (you do have one don't you?) have appropriate disciplinary action take place. And I would hope that you do NOT have multiple UID=0 accounts on your system! This is the first place that a hacker will try to attack your system. If you need assistance from other users to perform certain sysadmin tasks as root, get a copy of sudo and never give out the root password. Thu, 27 Nov 2003 09:56:15 GMT https://community.hpe.com/t5/operating-system-hp-ux/catching-users/m-p/3130348#M152893 Bill Hassell 2003-11-27T09:56:15Z https://community.hpe.com/t5/operating-system-hp-ux/catching-users/m-p/3130349#M152894 On Chris comments,<BR />It would depend on your "lease" policy for DHCP and how far back in time you want to track the suer IP@<BR /><BR />Rgds,<BR />Jean-Luc Thu, 27 Nov 2003 09:58:44 GMT https://community.hpe.com/t5/operating-system-hp-ux/catching-users/m-p/3130349#M152894 Jean-Luc Oudart 2003-11-27T09:58:44Z https://community.hpe.com/t5/operating-system-hp-ux/catching-users/m-p/3130350#M152895 Simon,<BR /><BR />Lock,disable or password change the account in question.<BR /><BR />See who complains ! Only the owner of the account will shout, and they should be educated about login/password confidentiality. <BR /><BR />Next have a look back at last -R for previous and current logged users and ip address details. Its a guide but not a fool-proof way of tracking the originator/source<BR /><BR />Keith<BR /><BR /> Thu, 27 Nov 2003 11:44:15 GMT https://community.hpe.com/t5/operating-system-hp-ux/catching-users/m-p/3130350#M152895 Keith Bevan_1 2003-11-27T11:44:15Z