https://community.hpe.com/t5/operating-system-hp-ux/failed-telnet-login-attempts-to-syslog/m-p/3680325#M742610 Hi I have trusted systems with auditing turned on, but for SOX they would like failed login attempts written to syslog and forwarded to a centralized logging server running 3rd party software. I have logging set in /etc/inetd.conf (telnetd -l) I see the connections but not failed logins. I come from a secure shell background, but telnet is a must have here right now. How to get failed login attempts written to syslog? Thank you for your time Mon, 28 Nov 2005 17:53:18 GMT Janet White 2005-11-28T17:53:18Z https://community.hpe.com/t5/operating-system-hp-ux/failed-telnet-login-attempts-to-syslog/m-p/3680325#M742610 Hi I have trusted systems with auditing turned on, but for SOX they would like failed login attempts written to syslog and forwarded to a centralized logging server running 3rd party software. I have logging set in /etc/inetd.conf (telnetd -l) I see the connections but not failed logins. I come from a secure shell background, but telnet is a must have here right now. How to get failed login attempts written to syslog? Thank you for your time Mon, 28 Nov 2005 17:53:18 GMT https://community.hpe.com/t5/operating-system-hp-ux/failed-telnet-login-attempts-to-syslog/m-p/3680325#M742610 Janet White 2005-11-28T17:53:18Z https://community.hpe.com/t5/operating-system-hp-ux/failed-telnet-login-attempts-to-syslog/m-p/3680326#M742611 Hi Janet:<BR /><BR />Failed logins are logged in '/var/adm/btmp' if the file is present.<BR /><BR />If not, 'touch' it to create it. Make sure that the permissions are set *only* to allow root read-access. It is possible that passwords from the failed logins will be exposed in this file.<BR /><BR />For more information see the man pages for 'last'. 'lastb' is used to read this binary file as noted therein.<BR /> <BR />Regards!<BR /><BR />...JRF... Mon, 28 Nov 2005 18:27:19 GMT https://community.hpe.com/t5/operating-system-hp-ux/failed-telnet-login-attempts-to-syslog/m-p/3680326#M742611 James R. Ferguson 2005-11-28T18:27:19Z https://community.hpe.com/t5/operating-system-hp-ux/failed-telnet-login-attempts-to-syslog/m-p/3680327#M742612 Janet -<BR /><BR />The HP-UX Host IDS product, available as a free download from software.hp.com, does monitor btmp for 11i (and btmps for 11iv2) for failed login attempts, whether they be for remote (rlogin), telnet, or ssh logins. You simply need to write a trivial script (examples in the Admin Guide) that can be invoked for every failed login attempt and that can then forward the failed login information to your centralized server. The alert will contain the login name that was supplied and the host name and IP address of the host from which the login was initiated. <BR /><BR />I have attached a testimonial from one customer who uses our product for SOX compliance. <BR /><BR />Let me know if you have any questions regarding HP-UX HIDS, which can do more than just monitor failed logins. The Admin Guide can be found at docs.hp.com.<BR /><BR />Pierre<BR /><BR /> Mon, 28 Nov 2005 19:27:04 GMT https://community.hpe.com/t5/operating-system-hp-ux/failed-telnet-login-attempts-to-syslog/m-p/3680327#M742612 Pierre Pasturel 2005-11-28T19:27:04Z https://community.hpe.com/t5/operating-system-hp-ux/failed-telnet-login-attempts-to-syslog/m-p/3680328#M742613 I like using lastb, but that doesn't get my failed logins to syslog. I will look into the HIDS product. Thank you both. Mon, 28 Nov 2005 21:18:40 GMT https://community.hpe.com/t5/operating-system-hp-ux/failed-telnet-login-attempts-to-syslog/m-p/3680328#M742613 Janet White 2005-11-28T21:18:40Z https://community.hpe.com/t5/operating-system-hp-ux/failed-telnet-login-attempts-to-syslog/m-p/3680329#M742614 Just try to restart inetd using # inetd -c or # /sbin/init.d/inetd stop and /sbin/init.d/inetd start. # lastb -R will provide failed login details. <BR /><BR />-Arun Mon, 28 Nov 2005 22:44:03 GMT https://community.hpe.com/t5/operating-system-hp-ux/failed-telnet-login-attempts-to-syslog/m-p/3680329#M742614 Arunvijai_4 2005-11-28T22:44:03Z