System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Tracking Invalid Login Attempts

 
SOLVED
Go to solution
Highlighted
Occasional Contributor

Tracking Invalid Login Attempts

I'm a novice HP-UX administrator, and rely on outsourced help for the most part, but I'm not receiving a satisfactory response to this dilema from my software vendor, perhaps you can assist.

OS: HP-UX 11i

My account is locked out every night due to invalid login attempts. I left my account locked out for a week to see if the activity would stop, it has not. I suspect a system somewhere is trying to log in as me, but I am unsure how I can find out when the attempts occur, and from what IP address.

I found a post that refers to /var/adm/btmp but all I see in there is this:

#lastb btmp
BTMPS_FILE begins at Wed Jul 9 14:15:05

Thanks for your assistance.

6 REPLIES 6
Highlighted
Honored Contributor
Solution

Re: Tracking Invalid Login Attempts

If you user id is abc123, then execute the following:

# lastb -R abc123

This will show all invalid login attemts for user abc123 along with the IP address or hostname and the date and time of the attempt.

If you still need more information, have a look at the man page. Remember that man pages are your friend.

Highlighted
Acclaimed Contributor

Re: Tracking Invalid Login Attempts

Hi Kevin:

In addtion to using 'lastb' to look for failed logins, you might want to examine '/var/adm/sulog' for failed 'su' attempts.

In your original post the command:

# lastb btmp

...returned nothing other than the origination timestamp of the log file because there is no user named 'btmp' recorded. If your login account was 'kevin' you would do:

# lastb kevin

As Patrick said, be sure to read the manpages for more information.

Regards!

...JRF...
Highlighted
Occasional Contributor

Re: Tracking Invalid Login Attempts

Well, that certainly makes a difference, thanks for the help. I see lot's of references to my own PC, and a serer here and there that are all sensible. What I don't like in the file is this

unknown.ISPNAME.com
unknown.ISPNAME.com
unknown.ISPNAME.com

This file resolves host names where it can, is there a way I can force it to capture IP instead of this?

unknown.ISPNAME.com
Highlighted
Honored Contributor

Re: Tracking Invalid Login Attempts

>>unknown.ISPNAME.com

That is what is resolved from DNS. If you do a 'nslookup' on that name you should get an IP address. If it cannot resolve the name, then it will record the IP address.

Highlighted
Occasional Contributor

Re: Tracking Invalid Login Attempts

Interestingly, it comes back with the IP of my Domain Controller / DNS Server... I don't have a solution to my problem yet, but this will help me get there.

Thanks!
Kevin
Highlighted
Honored Contributor

Re: Tracking Invalid Login Attempts

If the login failures are evenly in time, it is likely a cron job that is trying to run a job as your login.

> Interestingly, it comes back with the IP of my Domain Controller / DNS Server..

Is this machine also a VPN server? If so, someone (or some job) is being run through that system to get to your box. Since this is obviously impacting your work, I would create a new login, then move all your $HOME files to the new login and change ownership. That will cut off the lockouts and give you time to track down the culprit.

Since all you have is the DNS/DC (VPN?) system, start going through all the logs on that server looking for new transactions that match the lockout attempts. You will probably have to use Wireshark to eavesdrop on the network traceback to the source.


Bill Hassell, sysadmin