HPE Community
Operating System - HP-UX
1833345 Members
4187 Online
110051 Solutions
New Discussion

Script to log attempted LOGINS and FTP's

 
SOLVED
Go to solution
Laurie A. Krumrey
Regular Advisor

‎01-14-2002 10:38 AM

‎01-14-2002 10:38 AM

Script to log attempted LOGINS and FTP's

Hi All,

My next script...ROOT is not allow to telnet
in (/etc/securetty says console).

So even if I know the ROOT password I cannot
get a login I get this:

login: root
Password:
Login incorrect

Is there anyway to track and log when this
attempt is done? Or even better what
location/ workstation the attempt was made?

We use TCP/IP for our HP boxes so using the
last command I only see something like this:

krumrey pts/tc Sat Jan 12 06:55 - 06:56 (00:00)
lkrumrey pts/tb Sat Jan 12 04:58 still logged in

This pts/tc does not tell me much.

Can I get a log/ history of all attempted
logins and ftp's that fail or don't fail ???

Laurie
Happiness is a choice
0 Kudos
Reply
4 REPLIES 4
Sridhar Bhaskarla
Honored Contributor

‎01-14-2002 10:41 AM

‎01-14-2002 10:41 AM

Solution

Re: Script to log attempted LOGINS and FTP's

Hi Laurie,

Look at -R option of last and lastb commands.

You don't need to write scripts.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Reply
Jeff Machols
Esteemed Contributor

‎01-14-2002 10:43 AM

‎01-14-2002 10:43 AM

Re: Script to log attempted LOGINS and FTP's

who /var/adm/btmp will give you invalid logins (man utmp)
Reply
Christopher Caldwell
Honored Contributor

‎01-14-2002 10:59 AM

‎01-14-2002 10:59 AM

Re: Script to log attempted LOGINS and FTP's

The ideas from the earlier posters while deal with folks who were denied based on login.

If you want to track denials prior to logon, you can make a script to grep out denied lines from /var/adm/syslog/syslog.log (or another appropriate logging file.

Here's a sample line caused by ftp logged to /var/adm/syslog/syslog.log:
Jan 11 04:36:55 myhost ftpd[2194]: FTP LOGIN REFUSED (access denied) FROM APutea
ux-105-1-3-166.abo.wanadoo.fr [80.11.85.166], anonymous@ftp.microsoft.com

Here's one from telnet:
Jan 5 08:40:37 myhost inetd[1502]: telnet/tcp: Access denied for dbcl-4-62-31-1
52-169.yourhost.com (62.31.152.169) at Sat Jan 5 08:40:37 2002

The aforementioned assumes you're using something like ftphosts or inetd.sec to limit IP based access to your host for telnet and ftp.

To get this, you need to tell inetd to log the entries:
#inetd -l
#tail -f /var/adm/syslog/syslog.log
Jan 14 13:59:18 myhost inetd[1502]: Connection logging enabled

Then you use a command line/script to catch the denied entries:

#grep denied /var/adm/syslog/sysog.log > better_hunt_these_guys_down.txt

Reply
Deshpande Prashant
Honored Contributor

‎01-14-2002 11:04 AM

‎01-14-2002 11:04 AM

Re: Script to log attempted LOGINS and FTP's

HI
If you have "console" entry in /etc/securetty, I don't think lastb will track root trying to login from telnet, other than console.

Instead you will need little more scripting in .profile of user root.
##-
usr=`logname`
sulog="var/adm/sulog"
TTY="`tty | cut -d/ -f3` "

if [ ${user} = "root" ]
then
if [ ${TTY} != "console" ]
then
echo "<> | root login allowed only through console .."
echo " ERR ${date} - ${TTY} ${user} >>${sulog} "
exit
fi
fi

##--

Thanks.
Prashant Deshpande.
Take it as it comes.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.