HPE Community
Operating System - HP-UX
1752660 Members
6065 Online
108788 Solutions
New Discussion юеВ

Re: Athorication faild massages

 
Chandrahasa s
Valued Contributor

тАО03-11-2010 11:53 PM

тАО03-11-2010 11:53 PM

Athorication faild massages

We have two servers 168.1 and 168.2
My 168.2 root account is getting locked regularly.
When iam going through syslog of 168.2 i am getting messages authorication for root from 168.1 failed.
Can any suggest how can find which application or process contacting 168.2 in 168.1
and is there any way find list of login request from 168.1 to other server.
0 Kudos
6 REPLIES 6
Dennis Handly
Acclaimed Contributor

тАО03-12-2010 12:16 AM

тАО03-12-2010 12:16 AM

Re: Athorication faild massages

If you use "lastb -R" you can get the source machine.
0 Kudos
Michal Kapalka (mikap)
Honored Contributor

тАО03-12-2010 12:36 AM

тАО03-12-2010 12:36 AM

Re: Athorication faild massages

hi,

follow the advice from Dennis, and also you could check the connections with the Network Admins.

mikap
0 Kudos
Chandrahasa s
Valued Contributor

тАО03-12-2010 01:06 AM

тАО03-12-2010 01:06 AM

Re: Athorication faild massages

Hi all,
Thanks for reply

Here i want to know all login request from 168.1 to other servers.

I want to know which process in 168.1 exactly send this login request.
0 Kudos
Johnson Punniyalingam
Honored Contributor

тАО03-12-2010 01:25 AM

тАО03-12-2010 01:25 AM

Re: Athorication faild massages

>>Here i want to know all login request from 168.1 to other servers.<<

>>I want to know which process in 168.1 exactly send this login request.<<<

It pretty difficult for all of us to find / what you are looking for , ..? Hence you must be familiar with your server or application set up or some documentation to start digging the problem ..? otherwise we'll be shooting in the dark room .. ;(

check crontab entries ..?
any ftp jobs jobs, I could understand if you have any "password" hard-coded script execution could cause your root account getting locked regularly, either you remove un-sucessfull login counts to "0" for the root account.


have you followed advice from >>Dennis post ..?

# last -R

you can also check under the below file

# cat /var/adm/syslog/syslog.log

# netstat -an |grep -i 168.2.168.1
Problems are common to all, but attitude makes the difference
0 Kudos
Dennis Handly
Acclaimed Contributor

тАО03-12-2010 01:40 AM

тАО03-12-2010 01:40 AM

Re: Athorication faild massages

>I want to know which process in 168.1 exactly send this login request.

I guess you already know which machine is attacking yours?

You may have to turn on auditing to find who is sending bogus passwords to your machine.
0 Kudos
Chandrahasa s
Valued Contributor

тАО03-23-2010 07:20 PM

тАО03-23-2010 07:20 PM

Re: Athorication faild massages

Thanks to all.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.