HPE Community
Operating System - HP-UX
1822480 Members
2600 Online
109642 Solutions
New Discussion юеВ

failed telnet login attempts to syslog

 
SOLVED
Go to solution
Janet White
Advisor

тАО11-28-2005 09:53 AM

тАО11-28-2005 09:53 AM

failed telnet login attempts to syslog

Hi I have trusted systems with auditing turned on, but for SOX they would like failed login attempts written to syslog and forwarded to a centralized logging server running 3rd party software. I have logging set in /etc/inetd.conf (telnetd -l) I see the connections but not failed logins. I come from a secure shell background, but telnet is a must have here right now. How to get failed login attempts written to syslog? Thank you for your time
0 Kudos
Reply
4 REPLIES 4
James R. Ferguson
Acclaimed Contributor

тАО11-28-2005 10:27 AM

тАО11-28-2005 10:27 AM

Re: failed telnet login attempts to syslog

Hi Janet:

Failed logins are logged in '/var/adm/btmp' if the file is present.

If not, 'touch' it to create it. Make sure that the permissions are set *only* to allow root read-access. It is possible that passwords from the failed logins will be exposed in this file.

For more information see the man pages for 'last'. 'lastb' is used to read this binary file as noted therein.

Regards!

...JRF...
0 Kudos
Reply
Pierre Pasturel
Respected Contributor

тАО11-28-2005 11:27 AM

тАО11-28-2005 11:27 AM

Solution

Re: failed telnet login attempts to syslog

Janet -

The HP-UX Host IDS product, available as a free download from software.hp.com, does monitor btmp for 11i (and btmps for 11iv2) for failed login attempts, whether they be for remote (rlogin), telnet, or ssh logins. You simply need to write a trivial script (examples in the Admin Guide) that can be invoked for every failed login attempt and that can then forward the failed login information to your centralized server. The alert will contain the login name that was supplied and the host name and IP address of the host from which the login was initiated.

I have attached a testimonial from one customer who uses our product for SOX compliance.

Let me know if you have any questions regarding HP-UX HIDS, which can do more than just monitor failed logins. The Admin Guide can be found at docs.hp.com.

Pierre

Reply
Janet White
Advisor

тАО11-28-2005 01:18 PM

тАО11-28-2005 01:18 PM

Re: failed telnet login attempts to syslog

I like using lastb, but that doesn't get my failed logins to syslog. I will look into the HIDS product. Thank you both.
0 Kudos
Reply
Arunvijai_4
Honored Contributor

тАО11-28-2005 02:44 PM

тАО11-28-2005 02:44 PM

Re: failed telnet login attempts to syslog

Just try to restart inetd using # inetd -c or # /sbin/init.d/inetd stop and /sbin/init.d/inetd start. # lastb -R will provide failed login details.

-Arun
"A ship in the harbor is safe, but that is not what ships are built for"
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.