Re: Root account keeps becoming disabled

Christopher Powers · ‎12-12-2005

On my HP-UX B.11.23 trusted system, my root account keeps becoming disabled.

When I try to su to root, I get the following error:

>su -
Password:
Account is disabled - see Account Administrator
su: Sorry

To re-enable the root account, I just need to log in as root from the console. After successfully logging in from the console as root, the root account is no longer disabled. Here's the output from a console login:

Console Login: root
Password:
Account is disabled but console login is allowed.
Last successful login for root: Mon Dec 12 15:16:02 EST5EDT 2005 on console
Last unsuccessful login for root: Tue Dec 13 06:16:10 2005
Please wait...checking for disk quotas
. . . (the login process continues successfully)

After logging in as root from the console, I can then su to root.

I've checked syslog.log file and I don't see any obvious messages as to why the root account is becoming disabled. I also checked the sulog and I don't see anything strange there either (nobody trying to su to root).

Does anyone have any ideas why my root account is becoming disabled? Or any ideas on what else I can check or do to pinpoint the cause?

Muthukumar_5 · ‎12-12-2005

Is there entries with - to root user? In trusted system, if you try to login with wrong password then it will be locked on number of alloweded attempts.

-Muthu

Easy to suggest when don't know about the problem!

Muthukumar_5 · ‎12-12-2005

May be root password is expired. You can able to su to root user when the system is turned to trusted. See this,

Except for user root, users on a trusted system cannot use su to
change to an account that has been locked because of expired passwords
or other access restrictions.

-Muthu

Easy to suggest when don't know about the problem!

Mark Nieuwboer · ‎12-12-2005

Hi,

The last unsuccesfull login was Tue Dec 13 06:16:10 2005. was that you or was some one else logged on.
Futher more is direct login dissabled for root.
If not and your syslogd.conf isn't configured correctly you won't see it in syslog.

grtz. Mark

RAC_1 · ‎12-12-2005

root account is locked due unsuccessful login attempts. Unless you log onto system, you can do do anything about it.

Do you have alternate root account?? If yes log on and check.

/usr/lbin/getprpw root
If lockout parameter has 1 in it, account is locked due to something.

/usr/lbin/modprpw -k root --> to unlock it.

If above does not work, you will have to boot into single user mode and do above.

There is no substitute to HARDWORK

Sยภเl Kย๓คг · ‎12-12-2005

Hi,

Better to disable the security auditing done on root user. Then disable the direct root login and implement 'su -' or sudoers to login to root. You can enable only perticular user group to issue su - and login as root.

Regards,
Sunil

Your imagination is the preview of your life's coming attractions

Christopher Powers · ‎12-12-2005

Muthu:
(a) Here's the contents of the sulog (ya170b4 is my user ID). Notice there is nothing other than me su'ing to root and root su'ing to oracle.
SU 12/12 06:21 - 0 ya170b4-root
SU 12/12 08:55 + ttyp0 ya170b4-root
SU 12/12 08:56 + tc ya170b4-root
SU 12/12 10:03 + tb ya170b4-root
SU 12/12 19:00 + tty?? root-oracle
SU 12/12 20:30 + tty?? root-oracle
SU 12/12 21:00 + tty?? root-oracle
SU 12/12 21:30 + tty?? root-oracle
(b) Root's password is not expired. I can log in from the console with the original password and the system does not notify me that the password has expired.

Mark:
(a) The last unsuccessful login on Dec 13 at 06:16:10 2005 was me attemtping to su to root. Since root's account was disabled, the su failed.
(b) Root can not directly log into the system. The only way root can log in is either by an su to root or via the console.
(c) Here's what my syslog.conf file looks like
mail.debug /var/adm/syslog/mail.log
*.info;mail.none /var/adm/syslog/syslog.log
*.alert /dev/console
*.alert root
*.emerg *
user.debug /var/adm/syslog/syslog.log

RAC:
I don't think root's account is locked - it's just disabled (do these mean the same thing?). I do not have an alternate root account (any document or link on how to set one up?). Also, just logging in as root from the console re-enables the ID, so I don't think I need to boot into single user mode.

Sunil:
Root can not directly log in (only su or console login for root access). And I don't see any indication that someone is hacking the system.

Mark Nieuwboer · ‎12-12-2005

Hi Christopher,

A strange problem.
Does root disable it self every day or only at some periods.
Can you look throug sam what the security settings are.
Is the account life time maybe expired or may root only log in at certain times.

grtz. Mark

Christopher Powers · ‎12-13-2005

Mark,

I'm not sure how often this happens, but it does seem to be sporadic (not every day or at a specific time). I'm going to try and put some checks in place to see if I can find out exactly when this happens (without any information in syslog, it's kind of tough).

I did check sam for the security settings and here's what I see (the important ones):
Login times = "All days, every day"
Password aging = "Disabled"
Account life time = "None (infinite)"
Max inactivity = "Disabled"
Unsuccessful login tries = "Default (5)"

Sยภเl Kย๓คг · ‎12-13-2005

Hi,

I would recommend you to increase the Unsuccessful login tries = "Default (5)" to some thing above 20. And alos monitor syslog, have a close watch on the root logins..

Good that you have disabled the direct root console login. But there can be chance of some ftp connection, or remote login connections tries out login as root contrinously and fails. It can be some programs running on some other machines also, trying to do ftp with root access or some kind.

Thouroughly monitor the syslog.

Regards,
Sunil

Your imagination is the preview of your life's coming attractions

Patrick Wallek · ‎12-13-2005

You can check to see if anyone has tried to login to root directly and failed by doing a:

# lastb -R root

This will show all failed root loging and the hostname or IP address that they came from. This may help you track down the culprit.

Christopher Powers · ‎12-13-2005

It happened again last night sometime. If I do a lastb -R root, I do not see any unsuccessful login attempts since October 27. Here's the output:

#lastb -R root
root rexecd powersc.psc.uss. Thu Oct 27 14:20
root ftp powersc.psc.uss. Wed Sep 14 12:17
root rexecd powersc.psc.uss. Thu Aug 25 13:46
root pts/tb pltsuph-d600143. Fri Jun 10 13:10
root console Fri Jun 10 09:46
root console Fri Jun 10 09:46
root ftp conch.psc.uss.co Thu Jun 9 07:32
root pts/ta olive.psc.uss.co Wed Jun 8 13:40
root pts/tb localhost Wed Jun 8 11:25

Before I left for the day, I logged into the console and left it up to see if there were any messages on the console, and there weren't any messages on the console.

When I run the /usr/lbin/getprpw root command, here's the output:

#/usr/lbin/getprpw root
uid=0, bootpw=YES, audid=0, audflg=1, mintm=0, maxpwln=-1, exptm=0, lftm=0, spwchg=Thu Oct 27 14:26:25 2005, upwchg=Thu Apr 21 13:07:35 2005, acctexp=-1, llog=0, expwarn=0, usrpick=DFT, syspnpw=DFT, rstrpw=DFT, nullpw=DFT, admnum=-1, syschpw=DFT, sysltpw=DFT, timeod=-1, slogint=Tue Dec 13 15:15:54 2005, ulogint=Wed Dec 14 05:33:59 2005, sloginy=pts/0, culogin=582, uloginy=-1, umaxlntr=-1, alock=NO, lockout=0001000

Any other ideas or suggestions?

Thanks,
Chris

RAC_1 · ‎12-13-2005

The problem is this.
lockout=0001000

digit 1 at 4th position means-unsuccessful logon attempts exceeded

Do /usr/lbin/modprpw -k root and you shuold be fine.

There is no substitute to HARDWORK

RAC_1 · ‎12-13-2005

Also what does following return??
/usr/lbin/getprdef -bpt

There is no substitute to HARDWORK

Doug Kratky · ‎12-14-2005

We have the same problem, too, on several HP-UX 11.11 trusted systems.

- root becomes disabled due to too many unsuccesful logins
- "/usr/lbin/getprpw root" can be used to see the number of unsuccssful logins and the time of the last unsuccessful login
- we have turned on logging for inetd and ftpd
- lastb does not show bad logins; /var/adm/syslog/syslog.log does not show anything at time of unsuccessful login
- we reset the root account and it starts all over again

I would appreciate anyone on this thread who could tell us (and Christopher) how to trap the bad login source given that lastb and syslog.log don't help. Is there anything else we can turn on?

Thanks,
Doug

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Root account keeps becoming disabled

Root account keeps becoming disabled