- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Tracking Invalid Login Attempts
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-06-2010 12:22 PM
тАО05-06-2010 12:22 PM
OS: HP-UX 11i
My account is locked out every night due to invalid login attempts. I left my account locked out for a week to see if the activity would stop, it has not. I suspect a system somewhere is trying to log in as me, but I am unsure how I can find out when the attempts occur, and from what IP address.
I found a post that refers to /var/adm/btmp but all I see in there is this:
#lastb btmp
BTMPS_FILE begins at Wed Jul 9 14:15:05
Thanks for your assistance.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-06-2010 12:25 PM
тАО05-06-2010 12:25 PM
Solution# lastb -R abc123
This will show all invalid login attemts for user abc123 along with the IP address or hostname and the date and time of the attempt.
If you still need more information, have a look at the man page. Remember that man pages are your friend.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-06-2010 12:31 PM
тАО05-06-2010 12:31 PM
Re: Tracking Invalid Login Attempts
In addtion to using 'lastb' to look for failed logins, you might want to examine '/var/adm/sulog' for failed 'su' attempts.
In your original post the command:
# lastb btmp
...returned nothing other than the origination timestamp of the log file because there is no user named 'btmp' recorded. If your login account was 'kevin' you would do:
# lastb kevin
As Patrick said, be sure to read the manpages for more information.
Regards!
...JRF...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-06-2010 12:32 PM
тАО05-06-2010 12:32 PM
Re: Tracking Invalid Login Attempts
unknown.ISPNAME.com
unknown.ISPNAME.com
unknown.ISPNAME.com
This file resolves host names where it can, is there a way I can force it to capture IP instead of this?
unknown.ISPNAME.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-06-2010 12:35 PM
тАО05-06-2010 12:35 PM
Re: Tracking Invalid Login Attempts
That is what is resolved from DNS. If you do a 'nslookup' on that name you should get an IP address. If it cannot resolve the name, then it will record the IP address.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-06-2010 12:38 PM
тАО05-06-2010 12:38 PM
Re: Tracking Invalid Login Attempts
Thanks!
Kevin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-06-2010 03:48 PM
тАО05-06-2010 03:48 PM
Re: Tracking Invalid Login Attempts
> Interestingly, it comes back with the IP of my Domain Controller / DNS Server..
Is this machine also a VPN server? If so, someone (or some job) is being run through that system to get to your box. Since this is obviously impacting your work, I would create a new login, then move all your $HOME files to the new login and change ownership. That will cut off the lockouts and give you time to track down the culprit.
Since all you have is the DNS/DC (VPN?) system, start going through all the logs on that server looking for new transactions that match the lockout attempts. You will probably have to use Wireshark to eavesdrop on the network traceback to the source.
Bill Hassell, sysadmin