HPE Community
Operating System - HP-UX
1834331 Members
2338 Online
110066 Solutions
New Discussion

Logging telnet/ssh sessions on non-trusted systems

 
SOLVED
Go to solution
Martin J. Buxton
New Member

‎07-18-2006 03:24 AM

‎07-18-2006 03:24 AM

Logging telnet/ssh sessions on non-trusted systems

I'd like to log telnet and/or ssh logins on a non-trusted 11.11 system.

Does anyone know of any scripts or applications that will perform this?

Thanks for any and all replies.
0 Kudos
Reply
5 REPLIES 5
Victor Fridyev
Honored Contributor

‎07-18-2006 03:28 AM

‎07-18-2006 03:28 AM

Solution

Re: Logging telnet/ssh sessions on non-trusted systems

inetd -l

Or change the configuration of /etc/inetd.conf to do the same thing.

Entities are not to be multiplied beyond necessity - RTFM
Reply
James R. Ferguson
Acclaimed Contributor

‎07-18-2006 03:29 AM

‎07-18-2006 03:29 AM

Re: Logging telnet/ssh sessions on non-trusted systems

Hi Martin:

Create (touch) '/var/adm/wtmp' to log successful logins. Create (touch) '/var/adm/btmp' to track unsuccessful logins. Both files should be owned by 'root' and writeable only by root.

In the case of the 'btmp' file, do *not* confer read privileges to other than root. To do so may expose password or other sensitive information to non-privileged users.

In addition to the 'wtmp' and 'btmp' files which can be examined with 'last' and 'lastb' respectively, you should also examine the switch-user ('su') log:

# /var/adm/sulog

You will see entries that look like:

SU 07/17 11:00 - ttyp3 jrf-root
SU 07/17 11:01 + ttyp3 jrf-root

...a "-" indicates failure; a "+" signals success. The direction of the switch is shown as the last field.

See the manpages foor 'last(1)' for more information.

Regards!

...JRF...

0 Kudos
Reply
Martin J. Buxton
New Member

‎07-18-2006 04:15 AM

‎07-18-2006 04:15 AM

Re: Logging telnet/ssh sessions on non-trusted systems

The "inetd -l" seems to do the job. How would I set it up in inetd.conf for default logging?
0 Kudos
Reply
Pierre Pasturel
Respected Contributor

‎07-21-2006 04:35 AM

‎07-21-2006 04:35 AM

Re: Logging telnet/ssh sessions on non-trusted systems

HPUX Host IDS runs on 11.11 and monitors wtmp/btmp and sulog for both successful and failed logins/su, has hooks to perform actions (e.g., send a page, email) when certain attempts are detected, and allows you to centrally manage and monitor multiple systems.

It might be overkill for what you need.

http://h20338.www2.hp.com/hpux11i/cache/324806-0-0-0-121.html

Pierre
0 Kudos
Reply
Harjit
New Member

‎08-02-2006 01:59 PM

‎08-02-2006 01:59 PM

Re: Logging telnet/ssh sessions on non-trusted systems

>>The "inetd -l" seems to do the job. How would I set it up in inetd.conf for default logging?

Set export INETD_ARGS="-l" in file /etc/rc.config.d/netdaemons

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.