HPE Community
Operating System - HP-UX
1835215 Members
2578 Online
110078 Solutions
New Discussion

Re: Catching users !

 
SOLVED
Go to solution
Simon R Wootton
Regular Advisor

‎11-27-2003 01:47 AM

‎11-27-2003 01:47 AM

Catching users !

I have a situation with one of my users where I believe they are logging in using a different user id to gain greater access to our systems. I really need to see historically where particular users were logged in (using IP address) at a point in time. The 'last' command doesn't seem to give me the IP address where the user was logged in, is there any way I can match an IP address with a user historically ?? I realise it's a long shot but it would be really useful !

Does wtmp hold any valuable info ?

All help rewarded !!!

Thankyou
Simon
0 Kudos
Reply
5 REPLIES 5
Jean-Luc Oudart
Honored Contributor

‎11-27-2003 01:49 AM

‎11-27-2003 01:49 AM

Solution

Re: Catching users !

if you use last -R yuo will get the IP@

man last

Rgds,
Jean-Luc
fiat lux
Reply
Chris Wilshaw
Honored Contributor

‎11-27-2003 01:54 AM

‎11-27-2003 01:54 AM

Re: Catching users !

As an extra note to the above reply, tracking back to an IP address may not prove anything if the address is part of a DHCP pool.

If you use static addresses, you should be OK though (unless your users are smart enough to change their IP address too before logging in).
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎11-27-2003 01:56 AM

‎11-27-2003 01:56 AM

Re: Catching users !

This sounds fairly serious so you may need to take drastic actions once you discover the abusers. I would start by changing the password on the compromised login acctounts, notifying the real owner of the account to never share a password and depending on your company's security policy (you do have one don't you?) have appropriate disciplinary action take place. And I would hope that you do NOT have multiple UID=0 accounts on your system! This is the first place that a hacker will try to attack your system. If you need assistance from other users to perform certain sysadmin tasks as root, get a copy of sudo and never give out the root password.


Bill Hassell, sysadmin
0 Kudos
Reply
Jean-Luc Oudart
Honored Contributor

‎11-27-2003 01:58 AM

‎11-27-2003 01:58 AM

Re: Catching users !

On Chris comments,
It would depend on your "lease" policy for DHCP and how far back in time you want to track the suer IP@

Rgds,
Jean-Luc
fiat lux
0 Kudos
Reply
Keith Bevan_1
Trusted Contributor

‎11-27-2003 03:44 AM

‎11-27-2003 03:44 AM

Re: Catching users !

Simon,

Lock,disable or password change the account in question.

See who complains ! Only the owner of the account will shout, and they should be educated about login/password confidentiality.

Next have a look back at last -R for previous and current logged users and ip address details. Its a guide but not a fool-proof way of tracking the originator/source

Keith

You are either part of the solution or part of the problem
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.