Operating System - HP-UX
1836876 Members
1836 Online
110110 Solutions
New Discussion

Help with tracking user from a remote terminal

 
Ana Arostegui
Occasional Contributor

Help with tracking user from a remote terminal

Hello,

First how can I take away remote login from a particular userid?

Second, I am using HPUNIX and I have a generic userid named forte for my application. some individual having access to this id, has been killing processes and I would like to know how to track him/her down. I was told that there is way to track a type of terminal tty to a particular phone line number. I suspect the individual is logging in from home using a phone line.

Your help will be most appreciated.

Thanks,

Ana
8 REPLIES 8
Dan Hetzel
Honored Contributor

Re: Help with tracking user from a remote terminal

Hi Ana,

Using the 'last ' command, you'll have a list of all logins from user as well as the tty he/she's been login from.

If it's through a modem line, you could simply de-activate the login on that modem line, unless you actually need it permanently.

Editing /etc/inetd.sec could help in restricting logins to your local network.
See manual page for inetd.sec for details.

Best regards,

Dan
Everybody knows at least one thing worth sharing -- mailto:dan.hetzel@wildcroft.com
Ana Arostegui
Occasional Contributor

Re: Help with tracking user from a remote terminal

Hello,

Thank you for your help Dan, I really appreciate it.
I did go through the output of the command last as it concerns the specific user 'forte' and I got a list sort of like this:

forte pts/te 1xx.1xx.1xx.2xx Fri Feb 2 15:24 - 15:25 (00:00)
forte pts/tf 1xx.1xx.1xx.2xx Fri Feb 2 15:08 - 15:51 (00:42)
forte pts/tg 1xx.1xx.1xx.2xx Fri Feb 2 15:05 - 15:37 (00:31)
forte pts/tc 1xx.1xx.1xx.2xx Fri Feb 2 14:19 - 14:27 (00:08)
forte pts/ta sxxx.marxx Thu Feb 8 05:20 - 05:40 (00:20)
forte pts/tf sxxx.marrio Wed Feb 7 21:39 - 02:59 (05:20)

I am not sure what I can do with it though. I don't know how to track anything down. there are literaly thousands of people who receive ip addresses via dhcp and I don't know what the diferences on the pts/t*. for instance what is the diferences between pts/tf and pts/ta and so forth and how can I use this to track people down?

Also, could someone please answer my question on how I can restrict the remote login for a specific user. I am sure there is a way to disable remote logins for a user but I don't know how myself, I need commands for this a quick example if you will.

Thanks,

Ana
Dan Hetzel
Honored Contributor

Re: Help with tracking user from a remote terminal

Ana,

There is no difference between pts/ty and pts/tz apart from numbering. They are pseudo-terminals.

The most interesting thing is the IP address coming immediately after. This is the IP address or host name your user is coming from.
The last field shows you when the login took place and for how long.

You could use this input to track down the 'culprit' and deny login from that IP address using /etc/inetd.sec

Best regards,

Dan
Everybody knows at least one thing worth sharing -- mailto:dan.hetzel@wildcroft.com
Bruce Regittko_1
Esteemed Contributor

Re: Help with tracking user from a remote terminal

Hi,

I think Dan has his wizard cap screwed on a wee bit too tight :). The inetd security file is /var/adm/inetd.sec, not /etc/inetd.sec. Otherwise, Dan's answer, as always, is right on target. (2300 points and only one mistake!)

--Bruce
www.stratech.com/training
Steven Sim Kok Leong
Honored Contributor

Re: Help with tracking user from a remote terminal

Hi,

One way to prevent a remote user from logging in from remote would be to block him in /etc/profile. In this way, you can be selective as to which specific remote users you want to block from logging in from a list of remote sites while letting other remote users access to your system.

Giving you an idea of the lines you can include in your /etc/profile:
===========================================
mytty=`tty|cut -d\/ -f3-`
mylocation=`last|grep $mytty|head -1|awk '{print $3}'`
if cat /etc/blacklistusers|grep $LOGNAME >/dev/null 2>/dev/null && cat /etc/blacklistlocations|grep $mylocation >/dev/null 2>/dev/null
then
echo "You are not allowed to login from $mylocation"
exit
fi
===========================================

You will need to populate /etc/blacklistusers with the list of users and /etc/blacklistlocations with the list of remote IPs you wish to block.

Hope this helps. Regards.

Steven Sim Kok Leong
Brainbench MVP for Unix Admin
http://www.brainbench.com
Dan Hetzel
Honored Contributor

Re: Help with tracking user from a remote terminal

Hi Bruce,

You're right ! The reason why I don't remove my hat is because I'm bald and don't want to catch the flu.
You're quite far from the truth when you tell that this is my only wrong answer in 2300 points (:-))

The file is, of course /var/adm/inetd.sec, thank you for correcting my mistake.

Kindest regards,

Dan
Everybody knows at least one thing worth sharing -- mailto:dan.hetzel@wildcroft.com
Ana Arostegui
Occasional Contributor

Re: Help with tracking user from a remote terminal

Thank you everyone for all your helpful responses.
If I pinpoint the culprit and he/she has a static IP than I will blacklist it.

Ana
James H. Trice Ph.D.
Occasional Advisor

Re: Help with tracking user from a remote terminal

If you can track down the IP, use arp to get the hardware address then go to your netadmin. He/she might be able to track down the port using the hardware address.
Jim Trice