HPE Community
Operating System - HP-UX
1840089 Members
3506 Online
110161 Solutions
New Discussion

Bad Login by root . How to trace?

 
Chen Yingjie
Frequent Advisor

‎08-10-2004 10:39 PM

‎08-10-2004 10:39 PM

Bad Login by root . How to trace?

We found our audit report recorded many bad login by "root" in 8 servers.

How to trace these bad login?

I want to know

Who try to login by "root"?
Which terminal(IP) used to login?

Thanks for advise.
0 Kudos
11 REPLIES 11
Pete Randall
Outstanding Contributor

‎08-10-2004 10:42 PM

‎08-10-2004 10:42 PM

Re: Bad Login by root . How to trace?

Try "lastb root". That will give you bad login information for the root account.


Pete

Pete
0 Kudos
Sanjay Kumar Suri
Honored Contributor

‎08-10-2004 10:42 PM

‎08-10-2004 10:42 PM

Re: Bad Login by root . How to trace?

/var/adm/btmp file has history of unsuccessful logins.

The lastb command is used to display this information.

sks
A rigid mind is very sure, but often wrong. A flexible mind is generally unsure, but often right.
0 Kudos
Sanjay Kumar Suri
Honored Contributor

‎08-10-2004 10:45 PM

‎08-10-2004 10:45 PM

Re: Bad Login by root . How to trace?

/var/adm/btmp is owned by and readable only by root and therefore lastb need root to exexcute.

sks
A rigid mind is very sure, but often wrong. A flexible mind is generally unsure, but often right.
0 Kudos
Chen Yingjie
Frequent Advisor

‎08-10-2004 11:08 PM

‎08-10-2004 11:08 PM

Re: Bad Login by root . How to trace?

Our Audit tool recorded someone try to login. but it has not recorded in the wtmp.
0 Kudos
Sanjay Kumar Suri
Honored Contributor

‎08-10-2004 11:16 PM

‎08-10-2004 11:16 PM

Re: Bad Login by root . How to trace?

Check /var/adm/wtmp: history of successful logins using last command.

What is bad login by root?

Anyone who has root password is good as long as it is not for bad intentions. Is root passwd not safe?

Is direct root login allowed or one has to do su to access root?

sks
A rigid mind is very sure, but often wrong. A flexible mind is generally unsure, but often right.
0 Kudos
Muthukumar_5
Honored Contributor

‎08-10-2004 11:17 PM

‎08-10-2004 11:17 PM

Re: Bad Login by root . How to trace?

Last bad login informations are stored /var/adm/bmtp file. We can collect informations using lastb command.

IF you want to get detailed informations of login failed then use as,

lastb -xR -5

-x extended format
-R hostname / ip-address

-5 count

You can change account of badlogin file to anyother file using lastb -f

terminal of console gives the attempt of login as root

other ttys with users are for their respective logins
Easy to suggest when don't know about the problem!
0 Kudos
Chen Yingjie
Frequent Advisor

‎08-11-2004 12:49 PM

‎08-11-2004 12:49 PM

Re: Bad Login by root . How to trace?

Our audit tool recorded someone try to use root to login. But, the login was cancelled.

(our audit tool check user login by "root".
once user successfully login by root, it will ask user to type in their ID, if the answer is "N" or non-input, the login in will be cancelled.)

our system allow direct login to root.
and this time no person su to root.

0 Kudos
Muthukumar_5
Honored Contributor

‎08-11-2004 04:02 PM

‎08-11-2004 04:02 PM

Re: Bad Login by root . How to trace?

You can keep track of user informations and login details on /etc/profile (for normal users) and /.profile for root (super user). You can add script lines there in the profile to accomplish your requirement easily. And what are you asking user to type? ID ??


We can stop users to use su as,

/etc/default/security file,

SU_ROOT_GROUP=groupname which you want to give permission to use su permission

or make a script as,

mv your su to /usr/bin/su1

And make your own script to call su1 after making your script as su.
It has to ask arguments - username and check username is null then ask the user to type user and root can not be used for su

Regards
Muthu
Easy to suggest when don't know about the problem!
0 Kudos
twang
Honored Contributor

‎08-11-2004 04:26 PM

‎08-11-2004 04:26 PM

Re: Bad Login by root . How to trace?

HISTFILE=/var/tmp/.history_$LOGNAME
echo "$LOGNAME logon: `finger $LOGNAME |grep from`" >>$HISTFILE

Add the above to /etc/profile, it will record login detail and all commands issued by the login.
0 Kudos
Chen Yingjie
Frequent Advisor

‎09-08-2004 07:23 PM

‎09-08-2004 07:23 PM

Re: Bad Login by root . How to trace?

Thanks for everyone who replyed my question.
We have fixed the problem.

0 Kudos
Chen Yingjie
Frequent Advisor

‎09-08-2004 07:24 PM

‎09-08-2004 07:24 PM

Re: Bad Login by root . How to trace?

the problem is fixed.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.