HPE Community
Operating System - HP-UX
1846742 Members
4691 Online
110256 Solutions
New Discussion

root account becoming locked

 
Drew Roberts
Valued Contributor

‎03-15-2006 07:34 AM

‎03-15-2006 07:34 AM

root account becoming locked

The root account on one of my servers keeps becoming deactivated because of too many incorrect logins.

The root password was changed 2 days ago - and it seems something out there is still trying to use the old password.

Monitoring of getprpw shows the logins incrementing every 10 minutes, 5 unsuccessful logins at a time. For example:
ulogint=Wed Mar 15 13:15:28 2006
culogin=5

ulogint=Wed Mar 15 13:25:28 2006
culogin=10

ulogint=Wed Mar 15 13:35:28 2006
culogin=15

lastb -R and syslog don't have any matching entries. ???

Any suggestions would be greatly appreciated.

Andy
0 Kudos
Reply
7 REPLIES 7
A. Clay Stephenson
Acclaimed Contributor

‎03-15-2006 07:47 AM

‎03-15-2006 07:47 AM

Re: root account becoming locked

Look at uloginy, this may give you a clue where these requests are coming from. I would also enable logging on inetd. This has the appearance of a cron on another host.
If it ain't broke, I can fix that.
0 Kudos
Reply
Drew Roberts
Valued Contributor

‎03-15-2006 08:03 AM

‎03-15-2006 08:03 AM

Re: root account becoming locked

Thanks for the quick response.

uloginy = -1

I have inetd -l running. But I still don't see anything at the associated time in syslog.

I've checked the cron jobs on my other servers and there aren't any running every 10 minutes. Searching past similar issues that sure seems like the likely culprit, but the timing doesn't add up.

0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎03-15-2006 08:16 AM

‎03-15-2006 08:16 AM

Re: root account becoming locked

My next cut at this would be to only allow root logins at the console by setting up an /etc/securetty file. This will still allow you to login as a regular user and su - root. Are you allowing rlogins or ftp logins that might be using .netrc files? You at least need to get a handle on where these logins are coming from. I would shutdown rlogind, ftpd, and telnetd -- in that order until the culogin count stops increasing. It's also time to ask are there any applications which use the telnet, rexec, or rlogin protocols to make connections from clients?
If it ain't broke, I can fix that.
0 Kudos
Reply
Kent Ostby
Honored Contributor

‎03-15-2006 11:33 AM

‎03-15-2006 11:33 AM

Re: root account becoming locked

Andy -- check for scripts that get kicked off one time, but may sleep for 10 minutes.

Also, what about EMS or other monitoring tools?

"Well, actually, she is a rocket scientist" -- Steve Martin in "Roxanne"
0 Kudos
Reply
Kent Ostby
Honored Contributor

‎03-15-2006 11:34 AM

‎03-15-2006 11:34 AM

Re: root account becoming locked

Another thought is to change the password back and capture where the logins are coming from and then work backwards from there.
"Well, actually, she is a rocket scientist" -- Steve Martin in "Roxanne"
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎03-15-2006 12:57 PM

‎03-15-2006 12:57 PM

Re: root account becoming locked

Be sure to also start logging ftp connections (add the -l option to inetd.conf) and if you have sshd running, make sure it is logging in detail. Also check /var/adm/sulog -- someone might be using some remote shell connection that performs an automated su. The suggestion for /etc/securetty will likely stop the direct logins but things like ftp and su may be the cause.


Bill Hassell, sysadmin
0 Kudos
Reply
Drew Roberts
Valued Contributor

‎03-17-2006 12:38 AM

‎03-17-2006 12:38 AM

Re: root account becoming locked

Thanks to everyone for your suggestions so far. I'll be doing more looking into this in the next week and will let you know what the solutions turns out to be.

Andy
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.