topic Re: root login attempt in Operating System - HP-UX

root login attempt

John McDen — Wed, 08 May 2002 13:01:56 GMT

How do I know which user(s) tried to login as root ?? is there a place it logs the login attempts??

Re: root login attempt

Pete Randall — Wed, 08 May 2002 13:03:52 GMT

su to any other user is recorded in syslog. I don't think logins are, though.

Pete

Re: root login attempt

MANOJ SRIVASTAVA — Wed, 08 May 2002 13:06:33 GMT

Hi John

/var/adm/sulog is the file which has the information , genreally in the format

SU date time <+/-> user name su name

+ if the user was suceeful
- if the user was not sucessful

we have disabled logins to even root , oracle so that we can track down using sulog as who su ing .

Manoj Srivastava

Re: root login attempt

John McDen — Wed, 08 May 2002 13:06:43 GMT

Thanks ...pete

Re: root login attempt

harry d brown jr — Wed, 08 May 2002 13:07:34 GMT

If a user tries to login as root, then the username will showup as root, not their actual name or username.

I would suggest only allowing root to login from the console, and then disable the login by typing in the password wrong until it reashes the "disable" limit.

live free or die
harry

Re: root login attempt

T G Manikandan — Wed, 08 May 2002 13:07:59 GMT

Check the
/var/adm/sulog
(the log file for the successful and failure attempts for su)

root logins with ipaddress can be had from the wtmp file.
YOu can check for the ipaddress that other than yours for the root logins.

use fwtmp command to change the wtmp file to ascii and check it out.

fwtmp /tmp/wtmp.ascii

Thanks

Re: root login attempt

Helen French — Wed, 08 May 2002 13:08:55 GMT

Hi John:

Check these files:
/var/adm/sulog - su information
/var/adm/syslog/syslog.log
/var/adm/wtmp - logins
/var/adm/btmp - bad logins

and these commands:

# last
# lastb

HTH,
Shiju