Re: Tracking Invalid Login Attempts

Kevin Ruthven · ‎05-06-2010

I'm a novice HP-UX administrator, and rely on outsourced help for the most part, but I'm not receiving a satisfactory response to this dilema from my software vendor, perhaps you can assist.

OS: HP-UX 11i

My account is locked out every night due to invalid login attempts. I left my account locked out for a week to see if the activity would stop, it has not. I suspect a system somewhere is trying to log in as me, but I am unsure how I can find out when the attempts occur, and from what IP address.

I found a post that refers to /var/adm/btmp but all I see in there is this:

#lastb btmp
BTMPS_FILE begins at Wed Jul 9 14:15:05

Thanks for your assistance.

Patrick Wallek · ‎05-06-2010

If you user id is abc123, then execute the following:

# lastb -R abc123

This will show all invalid login attemts for user abc123 along with the IP address or hostname and the date and time of the attempt.

If you still need more information, have a look at the man page. Remember that man pages are your friend.

James R. Ferguson · ‎05-06-2010

Hi Kevin:

In addtion to using 'lastb' to look for failed logins, you might want to examine '/var/adm/sulog' for failed 'su' attempts.

In your original post the command:

# lastb btmp

...returned nothing other than the origination timestamp of the log file because there is no user named 'btmp' recorded. If your login account was 'kevin' you would do:

# lastb kevin

As Patrick said, be sure to read the manpages for more information.

Regards!

...JRF...

Kevin Ruthven · ‎05-06-2010

Well, that certainly makes a difference, thanks for the help. I see lot's of references to my own PC, and a serer here and there that are all sensible. What I don't like in the file is this

unknown.ISPNAME.com
unknown.ISPNAME.com
unknown.ISPNAME.com

This file resolves host names where it can, is there a way I can force it to capture IP instead of this?

unknown.ISPNAME.com

Patrick Wallek · ‎05-06-2010

>>unknown.ISPNAME.com

That is what is resolved from DNS. If you do a 'nslookup' on that name you should get an IP address. If it cannot resolve the name, then it will record the IP address.

Kevin Ruthven · ‎05-06-2010

Interestingly, it comes back with the IP of my Domain Controller / DNS Server... I don't have a solution to my problem yet, but this will help me get there.

Thanks!
Kevin

Bill Hassell · ‎05-06-2010

If the login failures are evenly in time, it is likely a cron job that is trying to run a job as your login.

> Interestingly, it comes back with the IP of my Domain Controller / DNS Server..

Is this machine also a VPN server? If so, someone (or some job) is being run through that system to get to your box. Since this is obviously impacting your work, I would create a new login, then move all your $HOME files to the new login and change ownership. That will cut off the lockouts and give you time to track down the culprit.

Since all you have is the DNS/DC (VPN?) system, start going through all the logs on that server looking for new transactions that match the lockout attempts. You will probably have to use Wireshark to eavesdrop on the network traceback to the source.

Bill Hassell, sysadmin

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Tracking Invalid Login Attempts

Tracking Invalid Login Attempts