Operating System - HP-UX
1834331 Members
2338 Online
110066 Solutions
New Discussion

Logging telnet/ssh sessions on non-trusted systems

 
SOLVED
Go to solution
Martin J. Buxton
New Member

Logging telnet/ssh sessions on non-trusted systems

I'd like to log telnet and/or ssh logins on a non-trusted 11.11 system.

Does anyone know of any scripts or applications that will perform this?

Thanks for any and all replies.
5 REPLIES 5
Victor Fridyev
Honored Contributor
Solution

Re: Logging telnet/ssh sessions on non-trusted systems

inetd -l

Or change the configuration of /etc/inetd.conf to do the same thing.

Entities are not to be multiplied beyond necessity - RTFM
James R. Ferguson
Acclaimed Contributor

Re: Logging telnet/ssh sessions on non-trusted systems

Hi Martin:

Create (touch) '/var/adm/wtmp' to log successful logins. Create (touch) '/var/adm/btmp' to track unsuccessful logins. Both files should be owned by 'root' and writeable only by root.

In the case of the 'btmp' file, do *not* confer read privileges to other than root. To do so may expose password or other sensitive information to non-privileged users.

In addition to the 'wtmp' and 'btmp' files which can be examined with 'last' and 'lastb' respectively, you should also examine the switch-user ('su') log:

# /var/adm/sulog

You will see entries that look like:

SU 07/17 11:00 - ttyp3 jrf-root
SU 07/17 11:01 + ttyp3 jrf-root

...a "-" indicates failure; a "+" signals success. The direction of the switch is shown as the last field.

See the manpages foor 'last(1)' for more information.

Regards!

...JRF...

Martin J. Buxton
New Member

Re: Logging telnet/ssh sessions on non-trusted systems

The "inetd -l" seems to do the job. How would I set it up in inetd.conf for default logging?
Pierre Pasturel
Respected Contributor

Re: Logging telnet/ssh sessions on non-trusted systems

HPUX Host IDS runs on 11.11 and monitors wtmp/btmp and sulog for both successful and failed logins/su, has hooks to perform actions (e.g., send a page, email) when certain attempts are detected, and allows you to centrally manage and monitor multiple systems.

It might be overkill for what you need.

http://h20338.www2.hp.com/hpux11i/cache/324806-0-0-0-121.html

Pierre
Harjit
New Member

Re: Logging telnet/ssh sessions on non-trusted systems

>>The "inetd -l" seems to do the job. How would I set it up in inetd.conf for default logging?

Set export INETD_ARGS="-l" in file /etc/rc.config.d/netdaemons