HPE Community
Operating System - HP-UX
1838613 Members
5338 Online
110128 Solutions
New Discussion

Re: Ftp account disable

 
RK_7
Advisor

‎03-27-2006 10:48 PM

‎03-27-2006 10:48 PM

Ftp account disable

Dear all,

We have implemented TCB in our server.
Can I find out the IP Address of the FTP User who tries ftp login more than three times with wrong password

Regards
0 Kudos
Reply
8 REPLIES 8
Peter Godron
Honored Contributor

‎03-27-2006 10:53 PM

‎03-27-2006 10:53 PM

Re: Ftp account disable

Hi,
would there not be a log in /var/adm/syslog/syslog.log ?
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎03-27-2006 10:59 PM

‎03-27-2006 10:59 PM

Re: Ftp account disable

Shalom

inetd -l

You can also enhance logging of some protocols by adding the -l paramter to the setup of the daemon in /etc/inted.conf

Note that for ssh, there have been some problems with certain versions that disabled logging. You will need the most recent secure shell server from http://software.hp.com to avoid this issue.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
RK_7
Advisor

‎03-27-2006 11:00 PM

‎03-27-2006 11:00 PM

Re: Ftp account disable

Hi,

In syslog I am getting logs for successful login .If the user tries wrong password three times ,the account gets locked .We want to find out the IP Address of user who made the system account locked.Is there any option that can use with ftpd in inetd.conf.

Regards,
0 Kudos
Reply
Asif Sharif
Honored Contributor

‎03-27-2006 11:05 PM

‎03-27-2006 11:05 PM

Re: Ftp account disable

check these logs
1. /var/adm/wtmp
2. /var/adm/syslog/syslog.log
Regards,
Asif Sharif
0 Kudos
Reply
RK_7
Advisor

‎03-27-2006 11:09 PM

‎03-27-2006 11:09 PM

Re: Ftp account disable

Hi

From wtmp we will not get ftp login details
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎03-27-2006 11:33 PM

‎03-27-2006 11:33 PM

Re: Ftp account disable

I thought of something else.

If you went TCB, that means your system is trusted. Unless you change it, be default a trusted system is going to disable a user after three consecutive bad logins.

passwd -sa

That command should produce a report of the bad users. But to actually disable the account you should not have to do anything.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Peter Godron
Honored Contributor

‎03-27-2006 11:40 PM

‎03-27-2006 11:40 PM

Re: Ftp account disable

RK,
when I try to log onto my (untrusted) system with an invalid password I see in the syslog.log.

IP addresses and username removed to protect the innocent.

Mar 28 12:56:57 tpol inetd[26625]: registrar/tcp: Connection from tpol () at Tue Mar 28 12:56:57 2006
Mar 28 12:57:06 tpol inetd[26626]: ftp/tcp: Connection from unknown () at Tue Mar 28 12:57:06 2006
Mar 28 12:57:12 tpol ftpd[26626]: pam_authenticate: Authentication failed
Mar 28 12:57:12 tpol ftpd[26626]: User : Login incorrect
0 Kudos
Reply
Antonio Cardoso_1
Trusted Contributor

‎03-28-2006 12:28 AM

‎03-28-2006 12:28 AM

Re: Ftp account disable

Hi,

look at ftpd entry in /etc/inetd.conf : if having -l flag, for example:
ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l -a

the log will look like:
Mar 28 15:19:27 rasteau inetd[18263]: ftp/tcp: Connection from unknown (139.54.129.205) at Tue Mar 28 15:19:27 2006
Mar 28 15:19:30 rasteau ftpd[18263]: cannot stat private access file /etc/ftpd/ftpgroups: No such file or directory
Mar 28 15:19:30 rasteau ftpd[18263]: USER sydfks
Mar 28 15:19:31 rasteau ftpd[18263]: PASS password
Mar 28 15:19:31 rasteau ftpd[18263]: User sydfks: Login incorrect
Mar 28 15:19:31 rasteau ftpd[18263]: SYST
Mar 28 15:19:31 rasteau ftpd[18263]: TYPE Image
Mar 28 15:19:37 rasteau inetd[1104]: Connection logging disabled
Mar 28 15:20:19 rasteau ftpd[18263]: QUIT
Mar 28 15:20:19 rasteau ftpd[18263]: FTP session closed
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.