HPE Community
Operating System - HP-UX
1820236 Members
2888 Online
109620 Solutions
New Discussion юеВ

Re: HP-UX root account was deactived some many times

 
SOLVED
Go to solution
Gary L
Super Advisor

тАО03-14-2008 06:02 AM

тАО03-14-2008 06:02 AM

HP-UX root account was deactived some many times

Hi

I have over 20 HP-UX rp box, currently, they met the same error: root account was deactivated caused by "Too many unsuccessful login attempts have occurred".
1. Our HP-UX servers are all C2-level Trusted System.
2. I have changed the value of u_maxtries from 3 to 99 at the file: /tcb/files/auth/r/root, details are as follows:
root@/tcb/files/auth/r> cat root
root:u_name=root:u_id#0:\
:u_pwd=fbEu9w5jm77OI:\
:u_bootauth:u_auditid#0:\
:u_auditflag#1:\
:u_minchg#0:u_exp#0:u_life#0:u_succhg#1203540512:\
:u_unsucchg#1060086954:u_pw_expire_warning#0:u_pswduser=root:u_suclog#1205502271:\
:u_suctty=pts/tc:u_unsuclog#1205497924:u_maxtries#99:u_lock@:\
:chkent:
3. I have changed the value of "Unsuccessful Login Tries Allowed" from default 3 to 99 through SAM,
SAM - Accounts for Users and Groups - SAM Users - root
Action: Modify Security PoliciesтАж - General User Account PoliciesтАж - Unsuccessful Login Tries Allowed: [ Customize ->] 99

After done the item 2 and 3, I thought user root should has 99 times unsuccessful login attempts, but I have no idea why I have to "Reactivated" root account every week. Is there any other file record the root faillog times?

BTW,
I configured all of the HP-UX servers as the managed client of HPSIM last month, Include installed: SysMgmtWeb SMH, SysFaultMgmt and some Providers etc.

Any answers will be very appreciate!

-G
0 Kudos
Reply
26 REPLIES 26
Gary L
Super Advisor

тАО03-14-2008 06:04 AM

тАО03-14-2008 06:04 AM

Re: HP-UX root account was deactived some many times

Sorry, the subject should be:
HP-UX root account was deactivated so many times.
0 Kudos
Reply
Robert Salter
Respected Contributor

тАО03-14-2008 06:05 AM

тАО03-14-2008 06:05 AM

Solution

Re: HP-UX root account was deactived some many times

I think i would try to find out who was trying to access root first. Doesn't sound like they're supposed to.
Time to smoke and joke
Reply
Paul Sperry
Honored Contributor

тАО03-14-2008 06:11 AM

тАО03-14-2008 06:11 AM

Re: HP-UX root account was deactived some many times

take a look at the /var/adm/sulog

a sucessful attempt looks like:

SU 03/14 08:08 + ttyp2 username-root

an unsucessful attempt looks like:

SU 03/14 08:08 - ttyp2 username-root

notice the + vs -

Then find the username and ask them why they think they need root access
Reply
Paul Sperry
Honored Contributor

тАО03-14-2008 06:14 AM

тАО03-14-2008 06:14 AM

Re: HP-UX root account was deactived some many times

BTW the same thing is logged in /var/adm/syslog/syslog.log

Mar 14 08:08:21 hostname su: - ttyp2 username-root
Mar 14 08:08:32 hostname su: + ttyp2 username-root
Reply
Gary L
Super Advisor

тАО03-14-2008 06:15 AM

тАО03-14-2008 06:15 AM

Re: HP-UX root account was deactived some many times

Hi Robert

Thank you very much for your fast reply.
Yes, you are right, I have been checking who are trying to access those HP-UX servers with incorrect passwd.
But, root account has 99 times try. I have to reactivate root account via console every week.(within 5 working days)
I means, it's un-normal thing. I assume somewhere, some files should limit the times is default 3.

-G
0 Kudos
Reply
Gary L
Super Advisor

тАО03-14-2008 06:17 AM

тАО03-14-2008 06:17 AM

Re: HP-UX root account was deactived some many times

Thanks Paul

I will check the sulog and syslog right now.

-G
0 Kudos
Reply
Gary L
Super Advisor

тАО03-14-2008 06:26 AM

тАО03-14-2008 06:26 AM

Re: HP-UX root account was deactived some many times

Hi Paul

Through check the sulog file, I foud oracle user tried to root access this server today, details are follows:

SU 03/14 08:31 - tb oracle1-root
SU 03/14 08:32 - tb oracle1-root
SU 03/14 09:44 + tb oracle1-root

But just two times, as you know I have already changed the fail attempt times from default 3 to 99. Does it take effect? I think, probably the system root unsuccessful login attempts still three, right? How to modify it except in /tcb/files/auth/r/root and SAM?

Thanks a lot.

-G
0 Kudos
Reply
Fabio Ettore
Honored Contributor

тАО03-14-2008 06:31 AM

тАО03-14-2008 06:31 AM

Re: HP-UX root account was deactived some many times

Hi Gary,

it sounds like someone is trying to access the system with wrong password for more than 99 times, some kind of hacking.
Try

lastb root

to check if someone failed the login as root (lastb does see only failed attempts).

Good luck...

Best regards,
Fabio Ettore
WISH? IMPROVEMENT!
Reply
Gary L
Super Advisor

тАО03-14-2008 06:45 AM

тАО03-14-2008 06:45 AM

Re: HP-UX root account was deactived some many times

Hi Fabio

Thanks for your good suggestions, through command # lastb root, system lists 218 entries ( too many). But I think it is the sum value of three or four years and the latest fail attempt is last year, see below:

root pts/tb Wed Jan 30 13:48
root pts/ta Mon Sep 17 08:18
root pts/ta Fri Sep 14 15:15
root pts/ta Fri Sep 14 15:15
root pts/0 Fri Jul 20 11:00
root pts/0 Thu Jul 19 17:05
root pts/0 Thu Jul 19 17:05
root pts/0 Thu Jul 19 17:05
root ssh:notty Wed Jul 4 14:39
root pts/td Wed Jun 20 10:10
├в ┬ж
root remshd Mon Apr 14 03:12
root remshd Sun Apr 13 03:12
root remshd Sat Apr 12 03:12
root remshd Fri Apr 11 03:12
root remshd Thu Apr 10 03:12
root remshd Wed Apr 9 03:12
root remshd Tue Apr 8 03:12
root remshd Mon Apr 7 03:12
root remshd Sun Apr 6 03:12
root remshd Sat Apr 5 03:12
root remshd Fri Apr 4 03:12

BTW,
Unix system has hacker?

Thanks again.

-G
0 Kudos
Reply
Fabio Ettore
Honored Contributor

тАО03-14-2008 07:44 AM

тАО03-14-2008 07:44 AM

Re: HP-UX root account was deactived some many times

Hi Gary,

hacking on Unix system is a different concept than Windows systems. Few examples of 'hacking' on Unix as I mean are the following: trying to access as root with no permission, scan ports on Unix in order to get connections, rm of files when accessing on system and so on this kind of actions. As seen it is not the same concept like Windows, it's not like a virus which spread on the system.

About your problem on root password, issue the following command:

#/usr/lbin/getprpw root

HTH.

Best regards,
Fabio
WISH? IMPROVEMENT!
Reply
Gary L
Super Advisor

тАО03-14-2008 08:07 AM

тАО03-14-2008 08:07 AM

Re: HP-UX root account was deactived some many times

Hi Fabio

Thanks for your explaination about Unix hacking.

Below are the output of /usr/lbin/getprpw root.

# /usr/lbin/getprpw root
uid=0, bootpw=YES, audid=0, audflg=1, mintm=0, maxpwln=-1, exptm=0, lftm=0, spwchg=Wed Feb 20 15:48:32 2008, upwchg=Tue Aug 5 08:35:54 2003, acctexp=-1, llog=-1, expwarn=0, usrpick=DFT, syspnpw=DFT, rstrpw=DFT, nullpw=DFT, admnum=-1, syschpw=DFT, sysltpw=DFT, timeod=-1, slogint=Fri Mar 14 12:02:12 2008, ulogint=Fri Mar 14 08:32:04 2008, sloginy=pts/tb, culogin=-1, uloginy=-1, umaxlntr=99, alock=NO, lockout=0000000

I think, it should be the same as /tcb/files/auth/r/root - umaxlntr=99 (try 99 times right?) As you know, through checked the log, I reactivated root account last week.

-G
0 Kudos
Reply
Tim Nelson
Honored Contributor

тАО03-14-2008 09:09 AM

тАО03-14-2008 09:09 AM

Re: HP-UX root account was deactived some many times

I would find the "hacker" and take care of it.

lastb -R root will supply the IP info associated with the attempt. Blackhole the IP to stop the problem. Do not disable the security make it easier on you.

The un-successful attempt counter only resets if a successful attempt is completed.

modprpw -m umaxlntr=99 root, editing tcb entry or using SAM are all valid ways to set.

Reply
Fabio Ettore
Honored Contributor

тАО03-14-2008 09:09 AM

тАО03-14-2008 09:09 AM

Re: HP-UX root account was deactived some many times

Hi Gary,

yes, umaxlntr=99 is about failed login attempts.
I found the following from man of modprpw:

<>

umaxlntr=value database u_maxtries.

Set Maximum Unsuccessful Login tries allowed. 0 = infinite.

So you can try to change umaxlntr value for root to infinite:

# /usr/lbin/modprpw -m umaxlntr=0 root

Then check that looks infinite (umaxlntr=0):

# /usr/lbin/getprpw root

If you will have other problems on locking I think that won't be about failed login attempts as that is infinite.

Another hint: anyway if you will have again the problem on locking of root account, when the problem happens issue

# /usr/lbin/getprpw root

and check lockout value whether is still 0000000.

Hope this helps you.

Best regards,
Fabio
WISH? IMPROVEMENT!
Reply
Fabio Ettore
Honored Contributor

тАО03-14-2008 09:26 AM

тАО03-14-2008 09:26 AM

Re: HP-UX root account was deactived some many times

Hi Gary,

let me say the last thing: as Tim posted for security reasons having 99 (or infinite) attempts for root login is not so good, I suggested that just for troubleshooting purposes. The first thing would be finding software/user/IP address/whatever is trying to access as root. Anyway the strange thing is that there are no traces of failed logins from anywhere.

Best regards,
Fabio
WISH? IMPROVEMENT!
Reply
Gary L
Super Advisor

тАО03-14-2008 09:51 AM

тАО03-14-2008 09:51 AM

Re: HP-UX root account was deactived some many times

Hi Tim and Fabio

Thank you very much for your good suggestions above.

lastb -R option is good to me.

I will tune the vaule umaxlntr to 0

I wanna keep this thread open see if works next week.

Thanks a bunch!
0 Kudos
Reply
Robert-Jan Goossens
Honored Contributor

тАО03-17-2008 02:04 AM

тАО03-17-2008 02:04 AM

Re: HP-UX root account was deactived some many times

Hi G,

Just my 2cents.

I use a password manager (keepass), installed sudo on all servers. I only need the root password when booting in single user mode.

http://keepass.info/

http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.9p11/

Regards,
Robert-Jan
Reply
Gary L
Super Advisor

тАО03-17-2008 05:40 AM

тАО03-17-2008 05:40 AM

Re: HP-UX root account was deactived some many times

Hi Robert

Thank you very much for your good suggestion about password manager tool - Keepass.
I will check it soon.

Have a great day

-Gary
0 Kudos
Reply
Sp4admin
Trusted Contributor

тАО03-17-2008 11:45 AM

тАО03-17-2008 11:45 AM

Re: HP-UX root account was deactived some many times

This defiantly sounds like a hacker as stated above. I would check all the recommended logs. Then I would hook up with the network guys and put a sniffer on and try to trap an IP's. Then I would ask the next work group to have that IP blocked.

Sp,
Reply
Tim Nelson
Honored Contributor

тАО03-17-2008 12:21 PM

тАО03-17-2008 12:21 PM

Re: HP-UX root account was deactived some many times

tcp wrappers is a great way to block an IP from accessing the system services, included automatically with all newer versions of ssh.

even better.. add a static route for the bad IP to the loopback. He/She will never see the system again from that IP. (blackhole)

Reply
Gary L
Super Advisor

тАО03-17-2008 12:47 PM

тАО03-17-2008 12:47 PM

Re: HP-UX root account was deactived some many times

Hi Sp4admin and Tim

Thank you very much for your good suggestion. I will contact network if possible.

And I will check the functionalities of tcp wrappers.

Thanks again.

-G
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО03-17-2008 12:54 PM

тАО03-17-2008 12:54 PM

Re: HP-UX root account was deactived some many times

Shalom,

In general, I found this happened when script kiddies were attacking my system from the Internet, or an ailing operator forget what machine he was on and kept trying the wrong password.

To deal with the hacking, I used ipfilter to limit ssh access, stopped accepting telnet logins at all.

Finding the source is most important.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Gary L
Super Advisor

тАО03-17-2008 12:58 PM

тАО03-17-2008 12:58 PM

Re: HP-UX root account was deactived some many times

Thanks SEP.

Question for you about ipfilter? Is it a tool of HP or a 3-part software runing on HP-UX?

Could you provide me some hyperlink, how to download and how to usage.

Thanks again.

-G
0 Kudos
Reply
Robert-Jan Goossens
Honored Contributor

тАО03-17-2008 01:02 PM

тАО03-17-2008 01:02 PM

Re: HP-UX root account was deactived some many times

http://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B9901AA

free hp product
Reply
Gary L
Super Advisor

тАО03-17-2008 01:03 PM

тАО03-17-2008 01:03 PM

Re: HP-UX root account was deactived some many times

Thanks Robert,

Have a great day.

-G
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.