HPE Community
Operating System - HP-UX
1833043 Members
2720 Online
110049 Solutions
New Discussion

alert with incorrect logins

 
Matthew_50
Valued Contributor

‎10-03-2005 03:16 AM

‎10-03-2005 03:16 AM

alert with incorrect logins

Hi, gurus.

I would like to have a script to monitor the logins every 5 mins, for telnet login fail, su fail, and ftp login fail. and send alert to sysadm.

Few points need to be check.
1. last -R
2. /var/adm/sulog
3. /var/adm/syslog/syslog.log

any good idea about the script ? should I use diff ? or there have another way for hpux platform ? Thanks.
0 Kudos
Reply
3 REPLIES 3
Mel Burslan
Honored Contributor

‎10-03-2005 04:18 AM

‎10-03-2005 04:18 AM

Re: alert with incorrect logins

TIMESTAMP=`date +%m%d%y%H%M`
# failed interactive logins check
lastb -R > /tmp/lastb.chk
echo "#### FAILED INTERACTIVE LOGINS SINCE LAST CHECK ####" > /var/adm/report.$TIMESTAMP
diff /tmp/lastb.chk /var/adm/lastb.chk.prev >>/var/adm/report.$TIMESTAMP
mv /tmp/lastb.chk /var/adm/lastb.chk.prev

# failed su attempts
cat /var/adm/sulog | while read s d t PM c u
do
if [ "$PM" = "-" ]
then
echo $s $d $t $PM $c $u >> /tmp/sulog.chk
fi
echo "#### FAILED SU ATTEMPTS SINCE LAST CHECK ####" >> /var/adm/report.$TIMESTAMP
diff /tmp/sulog.chk /var/adm/sulog.chk.prev >>/var/adm/report.$TIMESTAMP
mv /tmp/sulog.chk /var/adm/sulog.chk.prev

# failed ftp attempts
grep "Login incorrect" /var/adm/syslog/ | grep ftpd > /tmp/ftpfail.chk
echo "#### FAILED FTP LOGINS SINCE LAST CHECK ####" >> /var/adm/report.$TIMESTAMP
diff /tmp/ftpfail.chk /var/adm/ftpfail.chk.prev >>/var/adm/report.$TIMESTAMP
mv /tmp/ftpfail.chk /var/adm/ftpfail.chk.prev


if you put all of this into a script and schedule it via cron, you should be fine. Of course in its first run, as there will be no .prev files, it will give you errors. So, it would be better if you run it once from the command line and create the .prev files.

You can use the same construct for other things that you may wish to add to your monitor in the future.

Hope this helps
________________________________
UNIX because I majored in cryptology...
0 Kudos
Reply
Pat Lieberg
Valued Contributor

‎10-03-2005 05:24 AM

‎10-03-2005 05:24 AM

Re: alert with incorrect logins

I wrote a script that monitors lastb output and blocks traffic via ipfilter.

Its in perl and could be easily modified for your purposes.
0 Kudos
Reply
Zigor Buruaga
Esteemed Contributor

‎10-03-2005 05:27 AM

‎10-03-2005 05:27 AM

Re: alert with incorrect logins

Hi,

Okay, not an script, but you may want to take a look at HIDS ( free Host Intrusion Detection System from HP ).

"... user security

Failed logins
Failed SU attempts
Unauthorized modification of other users' files ..."

Extracted from http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUX-HIDS

I'm using an old version ( 2.2 ), still not tested the new one, but it's simply a great tool! It will give a lot of other features too. Only for info, as an alternative.

Regards,
Zigor
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.