topic Re: Tracking down failed FTP logins in Operating System - HP-UX

Tracking down failed FTP logins

Chuck Sims — Tue, 02 Sep 2003 19:02:49 GMT

Aloha All,

I've been receiving periodic complaints from one of our customers about not being able to log into their ftp account on one of our HP-UX 11.0 servers. It seems that it works fine one day, but the account has been disable the next time they try to use it. Sometimes the time between good and bad is only a day or two. At other times, it has been a couple of weeks. I've looked through the console logs and the syslog, and I can see lots of failed login attempts, but I can't find out where they are coming from. The syslog shows the IP address for successful logins, but not, apparently, for failed logins.

Is there another place I should be looking that will show me where these failed logins are coming from? My suspicion is that is that there is a PC out there that still has an old password defined in a batch process. I'd like to be able to prove or dispel this theory.

Thanks in advance for any and all help.

Re: Tracking down failed FTP logins

Brian Bergstrand — Tue, 02 Sep 2003 19:08:42 GMT

Have tried :

# who -a /var/adm/btmp

That should output where the bad connections are coming from.

HTH.

Re: Tracking down failed FTP logins

A. Clay Stephenson — Tue, 02 Sep 2003 19:10:55 GMT

I would add the -l and -v options to your ftp entry in /etc/inetd.conf. This will greatly increase the logging of the ftpd daemon. After making the change to the inetd.conf, issue an "inetd -c" command to signal inetd too reread the configuration file.

Re: Tracking down failed FTP logins

Uday_S_Ankolekar — Tue, 02 Sep 2003 19:10:57 GMT

use last -R for sucessful logins and lastb -R for unsuccessful
This command will give you all the details you are looking for.

-USA..

Re: Tracking down failed FTP logins

Elena Leontieva — Tue, 02 Sep 2003 19:12:38 GMT

You may run this command:

lastb -R |grep ftp

Elena.

Re: Tracking down failed FTP logins

James R. Ferguson — Tue, 02 Sep 2003 19:31:52 GMT

Hi:

'lastb' will only work if bad login accounting is enabled. The absence of '/var/adm/btmp' means that bad login accounting is *disabled*. To enable it, as the root user, do:

# touch /var/adm/btmp
# chmod 600 /var/adm/btmp

For security reasons, only the owner (root) should have access.

Regards!

...JRF...

Re: Tracking down failed FTP logins

Jim Mallett — Tue, 02 Sep 2003 19:45:02 GMT

Chuck,

Try running:
# inetd -l

This will turn on connection logging. Then in your /var/adm/syslog file, just prior to the FTP instance, you will see the TCP connection with the IP address.

Here is an example from my system:
Before running inetd -l
Sep 2 16:39:06 ddfin01 ftpd[21530]: User root: Login incorrect
Sep 2 16:39:07 ddfin01 ftpd[21530]: FTP session closed

After running inetd -l
Sep 2 16:39:15 ddfin01 inetd[1112]: Connection logging enabled
Sep 2 16:39:19 ddfin01 inetd[21556]: ftp/tcp: Connection from fang (10.10.2.103
) at Tue Sep 2 16:39:19 2003
Sep 2 16:39:24 ddfin01 ftpd[21556]: pam_authenticate: Authentication failed
Sep 2 16:39:24 ddfin01 ftpd[21556]: User root: Login incorrect
Sep 2 16:39:25 ddfin01 ftpd[21556]: FTP session closed

The failed IP address shows up now.

I don't know that btmp is going to get failed FTP logins.

Jim

Re: Tracking down failed FTP logins

Jim Mallett — Tue, 02 Sep 2003 19:55:47 GMT

ps...

When you get the information you want, run inetd -l again to shut it off. This will list all attempted connections to services so the syslog file can get big quick.

Jim

Re: Tracking down failed FTP logins

Chuck Sims — Wed, 17 Sep 2003 03:11:35 GMT

Aloha All,

Thanks to everyone for the very helpful suggestions. I've turned on connection logging with inetd -l and it's working great. The other suggestions were excellent, also, and have given me some more tools to use in tracking down this problem.

Thanks again...

Chuck