Re: Failed Logins not going to /var/adm/btmp

Josh Kelley · ‎12-26-2006

I've been looking at the failed login attemtps on one of the HPUX 11.11 servers. When I do a lastb -10 to just see the most recent failed attemtps, I get failed logins that are really old. I did ls -l /var/adm/btmp and the date on the file is nearly a year old.

I was under the impression that any failed login attempt was recorded in this file. If I use last -10, I get the most recent successful logins and the date on /var/adm/wtmp is current so I know that's working correctly.

spex · ‎12-26-2006

Hi,

Your btmp database is corrupt, which isn't a big deal. You have two options:

1) If you don't care about preserving previous bad login attempts, you can zero out /var/adm/btmp:
# cat /dev/null > /var/adm/btmp

2) If you want to try to preserve previous bad login attempts, you will need to make use of the 'fwtmp' command:
# /usr/sbin/acct/fwtmp < /var/adm/btmp > /tmp/btmp.tmp
# vi /tmp/btmp.tmp # Clean up records
# /usr/bin/acct/fwtmp -ic < /tmp/btmp.tmp > /var/adm/btmp
# rm /tmp/btmp.tmp

PCS

Steven E. Protter · ‎12-26-2006

Shalom,

Its important for auditing purposed to immediatly re-stablish this file. If you follow the procedure in the prior post(recommended), thats good.

Otherwise > /var/adm/btmp

Then do a bad login and see that it gets logged.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Josh Kelley · ‎12-26-2006

Tried the above and it didn't work. So then we tried just running login from the command prompt and I noticed that it is writing the information to btmp. I assumed since it wasn't writing when I used ssh, it wasn't writing at all. Googled to see if there something about ssh and btmp and I found that this is a known issue.

Thanks for you help.

Denver Osborn · ‎12-26-2006

What version of OpenSSH are you running? Is it HP's supported build of OpenSSH (Secure Shell)? ssh -V

-denver

George Liu_4 · ‎12-26-2006

is syslog.log updating?

Josh Kelley · ‎12-26-2006

OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090702f

Also swlist says the server is on A.03.61.002 HP-UX Secure Shell. I looked through the release notes and noticed that A.03.71.000 includes logging to btmp and fixes the problem with wtmp showing everyone still logged in.

Josh Kelley · ‎12-26-2006

Yes, syslog.log is updating. It isn't logging failed or successful login attempts though. SSHD is logging if it accepted the password or not, however.

Denver Osborn · ‎12-26-2006

HP-UX Secure Shell A.03.91 anhanced logging of bad login attempts.

http://docs.hp.com/en/T1471-90014/ch01s04.html

You can download the latest rev and test it out for your environment.

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA

-denver

Samir Pujara_1 · ‎12-26-2006

Hi Josh,

This was a know bug before ssh 3.91. See below link.

http://docs.hp.com/en/T1471-90014/ch01s04.html

Try to update your ssh with latest version (atleast 3.91 or above).

This will solve your problem.

Samir

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Failed Logins not going to /var/adm/btmp

Failed Logins not going to /var/adm/btmp