System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

set up auth.log /btmp for failed login attempts

brian_31
Super Advisor

set up auth.log /btmp for failed login attempts

My question is

1. does btmp capture all failed login attempts?

(currently an ID is getting locked but lastb -R is not repoting it, however if i do a failed login to the box it reports- wonder why?)

2. wonder what should be the entries in syslog.conf so that i make sure i log all (everything) unsuccessful logins (capture ip etc) in a seperate log (say)auth.log?

system is 11.0 trusted.

Please advise.

Brian
4 REPLIES
James R. Ferguson
Acclaimed Contributor

Re: set up auth.log /btmp for failed login attempts

Hi Brian:

To enable logging of failed logins, touch (or otherwise create):

# /var/adm/btmp
# chown root:other /var/adm/btmp
# chmod 600 /var/adm/btmp

The _existence_ of this file enables the logging. Remove the file to disable logging.

Now, for those who 'su' from on account to another, look at:

# /var/adm/sulog

Unsuccessful transitions have a '-' in the foruth field; successful transitons have a '+' there. The transition from user-to-user is shown in the last column of the file.

Regards!

...JRF...
brian_31
Super Advisor

Re: set up auth.log /btmp for failed login attempts

Hello JRF

My btmp works fine. strangely for one id (which seems to lock itself) i am not getting the failed login details from btmp. If i puposely do a failed login it reports fine.

Thanks

Brian
john guardian
Super Advisor

Re: set up auth.log /btmp for failed login attempts

James,

 

If you're still out there, what about setting syslog.conf for :

 

auth.debug     <logfile>

OR

auth.info          <logfile>

OR

auth.notice      <logfile>

 

where <logfile> is the syslog? if successful/nsuccessful logins can be handled w/the above, what's the lowest priority where BOTH would be logged .debug=7 .info=6 .notice=5 (at least I think that's their designated levels in the syslog.h file).

 

 

john guardian
Super Advisor

Re: set up auth.log /btmp for failed login attempts

There have been a number of views. Don't everyone chime in at once, thx................