HPE Community
Operating System - HP-UX
1836561 Members
1764 Online
110102 Solutions
New Discussion

prevent remshd from loggin entries into /var/adm/wtmps

 
kenny chia
Regular Advisor

‎01-08-2008 05:05 PM

‎01-08-2008 05:05 PM

prevent remshd from loggin entries into /var/adm/wtmps

Hi
I have a lot of systems logging into my HPUX11i server using remote shell (rsh).
I think it has resulted in the size of wtmps to grow to 300MB.

How do I disable remshd from logging entries into /var/adm/wtmps ?
All Your Bases Are Belong To Us!
0 Kudos
Reply
4 REPLIES 4
VK2COT
Honored Contributor

‎01-08-2008 06:48 PM

‎01-08-2008 06:48 PM

Re: prevent remshd from loggin entries into /var/adm/wtmps

Hello,

I am not aware of any easy method to
disable logging for remshd, unless you

a) Have access to remshd source code to recompile it.

or

b) Use some rshd alternative. In old times,
before I stopped using R* protocols altogether, I was very fond of
Wietse Venema's logdaemon suite of
toolkits.

c) Play with user accounting management
options.

or (best option):

d) Decide to move away from R*
protocols and migrate to SSH/SFTP/SCP.

The logging capabilities are directly coded
into remshd daemon.

HP-UX 11v2 and v3 use utmps-like structure,
and one of the the key elements is:

#define WTMPS_FILE "/var/adm/wtmps"

It would be interesting to see what
could be gained if environment variable
WTMPS_FILE pointed to another file or /dev/null? However, this would affect all
logging on the server, not just remshd.

Frankly, you are probably better off
leaving the logging as it is and setting
up some utmps/wtmps log file recycling
on a regular basis. That way:

1. You satisfy some basic IT security audits
(the auditors like to see proof that
you collect login details - even though
that information is easily hacked - most security auditors are not technically competent people anyway - I dealt with many
of them in my work :));

2. You do not risk wtmps file growth
beyond unmanageable size;

Even better, disable remshd and start
using SSH.

Cheers,

VK2COT
VK2COT - Dusan Baljevic
0 Kudos
Reply
kenny chia
Regular Advisor

‎01-08-2008 06:58 PM

‎01-08-2008 06:58 PM

Re: prevent remshd from loggin entries into /var/adm/wtmps

Thanks for the feedback. Originally I wanted to clear the wtmps by doing

# cat /dev/null > /var/adm/wtmps

But the file is being used by the pcnfsd process

# fuser ./wtmps
./wtmps: 594o

ps -ef | grep 594
root 594 1 0 Dec 11 ? 0:09 /usr/sbin/rpc.pcnfsd

Is it safe to run # cat /dev/null > /var/adm/wtmps
All Your Bases Are Belong To Us!
0 Kudos
Reply
Ramesh S
Esteemed Contributor

‎01-08-2008 07:03 PM

‎01-08-2008 07:03 PM

Re: prevent remshd from loggin entries into /var/adm/wtmps

Hi Kenny

You need to edit /etc/inetd.conf and change the line

shell stream tcp nowait root /usr/lbin/remshd remshd

to

shell stream tcp nowait root /usr/lbin/remshd remshd -t

run "inetd -c"

It should prevent logging remshd in /var/adm/wtmp.

Thanks & Regards

Ramesh
0 Kudos
Reply
VK2COT
Honored Contributor

‎01-08-2008 07:39 PM

‎01-08-2008 07:39 PM

Re: prevent remshd from loggin entries into /var/adm/wtmps

Hello,

a) Yes, you can cp /dev/null over /var/adm/wtmps as long
as you do not care about lost records.

b) Frankly, I am not aware of flag "-t"
for remshd that Ramesh mentions. It is not
an official flag (unless it is
an undocumented one, or I am too much
enjoying my holidays and forgot about this
flag :)).

Cheers,

Vk2COT
VK2COT - Dusan Baljevic
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.