HPE Community
Operating System - HP-UX
1847216 Members
5117 Online
110263 Solutions
New Discussion

How do you determine what IP address deactivated an ftp account

 
Dan Copeland
Regular Advisor

‎03-14-2002 08:48 AM

‎03-14-2002 08:48 AM

How do you determine what IP address deactivated an ftp account

I have a generic ftp account that is used by over 100 end-users during month-end to send data to an app. Last month we had a problem because someone was disabling the account by providing the wrong password during the ftp login. Is there a way to find out who was the culprit if the ftp userid is the same for these 100 users? We checked last, lastb, and syslog. No entries were in last and lastb for ftp. Syslog showed when the account got disabled but we were unable to detect who did it? Our security policy states disable after 5 incorrect passwords. Password does not expire.
ftp userid has /bin/false shell. Any help would be appreciated.
0 Kudos
Reply
8 REPLIES 8
Jeff Schussele
Honored Contributor

‎03-14-2002 08:59 AM

‎03-14-2002 08:59 AM

Re: How do you determine what IP address deactivated an ftp account

Hi,

You'll want to turn logging on for ftp in inetd.conf. Add an -l (that's ell not one) to the ftp line & bounce inetd.

You can also turn on more specific options with /etc/ftpd/ftpaccess - see the following links

http://docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/B2355-90685/B2355-90685_top.html&con=/hpux/onlinedocs/B2355-90685/00/00/14-con.html&toc=/hpux/onlinedocs/B2355-90685/00/00/14-toc.html&searchterms=ftpd&queryid=20020314-085906

http://docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/B2355-90696/B2355-90696_top.html&con=/hpux/onlinedocs/B2355-90696/00/00/36-con.html&toc=/hpux/onlinedocs/B2355-90696/00/00/36-toc.html&searchterms=ftpaccess&queryid=20020314-090102

This will explain how to increase the value of allowed incorrect logins.

With a generic login the best you'll be able to determine is source IP of the login. Then you'll have to track down the workstation with that IP. I never use genric IDs when at all possible for this exact reason.

HTH,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Roger Baptiste
Honored Contributor

‎03-14-2002 09:04 AM

‎03-14-2002 09:04 AM

Re: How do you determine what IP address deactivated an ftp account

Jeff,

I dont think -l option helps in this case. Even when -l option is there, the syslog does not record the IP address if the login id access is incorrect!! . Only when the ftp can login successfully, does it show the IP address from which the connection was done.

-raj
Take it easy.
0 Kudos
Reply
Christopher Caldwell
Honored Contributor

‎03-14-2002 09:05 AM

‎03-14-2002 09:05 AM

Re: How do you determine what IP address deactivated an ftp account

If you're running trusted, the field
fd_unsuctty (man getprpwent) may store the hostname of the last unsuccessful login:

The next fields are used to protect against login spoofing, listing
the time and location of last login. fd_slogin and fd_ulogin are time
stamps of the last successful and unsuccessful login attempts.
fd_suctty and fd_unsuctty are the terminal device or (if supported)
host names of the terminal or host from which the last login attempt
occurred.
0 Kudos
Reply
Dan Copeland
Regular Advisor

‎03-14-2002 11:50 AM

‎03-14-2002 11:50 AM

Re: How do you determine what IP address deactivated an ftp account

Thank you all for the good info. I don't have the getprpwent command on my server. I'm running 11.0 and it is trusted. When I view the tcb file for that userid, I don't have any entries for fd_unsuctty. I'm kinda disappointed because I think that may have helped. Any ideas why that command is not there?
0 Kudos
Reply
Sandip Ghosh
Honored Contributor

‎03-14-2002 11:59 AM

‎03-14-2002 11:59 AM

Re: How do you determine what IP address deactivated an ftp account

I can't tell whether you can find out about the past or not.

But for the future just give #inetd -l it will keep the message in syslog.log file about
1. The pid
2. The Host Name
3. The IP Add of the host Name
4. The User Name

Sandip
Good Luck!!!
0 Kudos
Reply
Ron Kinner
Honored Contributor

‎03-14-2002 12:51 PM

‎03-14-2002 12:51 PM

Re: How do you determine what IP address deactivated an ftp account

run tcpdump (freeware) and set it to filter on ftp then grep the result for whatever your system says when it doesn't like the password.

Ron
0 Kudos
Reply
Deshpande Prashant
Honored Contributor

‎03-14-2002 12:51 PM

‎03-14-2002 12:51 PM

Re: How do you determine what IP address deactivated an ftp account

HI
The command /usr/lbin/getprpw will list you last successful and unsuccessful attempts.

Prashant.
Take it as it comes.
0 Kudos
Reply
Christopher Caldwell
Honored Contributor

‎03-14-2002 03:27 PM

‎03-14-2002 03:27 PM

Re: How do you determine what IP address deactivated an ftp account

getprpwent is the C API into the tcb. You'd have to write a C program to peek and poke the entries in the tcb. The API allows you to turn on and off certain attributes in the tcb.

FTP would have to be tweaked to write failed login attempts (and log the host) to the tcb - it's not to hard of a modification.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.