HPE Community
Operating System - HP-UX
1833861 Members
1881 Online
110063 Solutions
New Discussion

Re: tracking the bad connection

 
feuillet
Advisor

‎03-30-2005 10:24 PM

‎03-30-2005 10:24 PM

tracking the bad connection

I would like to know if it is possible to track the invalid access, the intrusion, the bad connection on my server (HPUX 11i).
If it is the case, how do you do it please?

thanks
0 Kudos
Reply
6 REPLIES 6
Robert-Jan Goossens
Honored Contributor

‎03-30-2005 11:01 PM

‎03-30-2005 11:01 PM

Re: tracking the bad connection

Hi,

Are you looking for bad login information ?

# lastb -R | more

The lastb command searches backwards through the database file /var/adm/btmp to display bad login information.

Regards,
Robert-Jan
0 Kudos
Reply
harry d brown jr
Honored Contributor

‎03-30-2005 11:07 PM

‎03-30-2005 11:07 PM

Re: tracking the bad connection

We use Axent's Intruder alert product:
http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=171
http://enterprisesecurity.symantec.com/content/displaypdf.cfm?pdfid=321

live free or die
harry d brown jr
Live Free or Die
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎03-31-2005 12:19 AM

‎03-31-2005 12:19 AM

Re: tracking the bad connection

It sounds like you are looking for a security product such as the HP-UX Intruder Detection System. Get a copy from:
http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUX-HIDS

However, this is not a complete solution for security. It is much better to keep intruders completely out rather than wait for them to be detected. Get a copy of Bastille from: http://software.hp.com/portal/swdepot/searchProducts.do

And in all cases, get a copy of the the HP-UX Security book by Chris Wong: http://www.amazon.com/gp/reader/0130330620/ref=sib_dp_pt/103-4611296-5990224#reader-link


Bill Hassell, sysadmin
0 Kudos
Reply
feuillet
Advisor

‎03-31-2005 02:29 AM

‎03-31-2005 02:29 AM

Re: tracking the bad connection

Hi Robert Jan Goossens

Thanks for the commands but I don't understand the synthaxe

Login ??? namePC date

???= pts/ta or pts/tb or remshd

What is this?

And it's normal that the password is written at the login location!,
0 Kudos
Reply
Robert-Jan Goossens
Honored Contributor

‎03-31-2005 03:11 AM

‎03-31-2005 03:11 AM

Re: tracking the bad connection

the password in the users field is probably a mistake from a user.

check the man page of lastb.

pts are telnet/rlogin connections, remsh and rexec are noticed as such. check the output from a few bad logins from a test account.

rj pts/tb Thu Mar 31 18:08
rj pts/2 Thu Mar 31 18:07
rj remshd Thu Mar 31 18:05
rj rexecd Thu Mar 31 17:02
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎03-31-2005 05:17 AM

‎03-31-2005 05:17 AM

Re: tracking the bad connection

> Login ??? namePC date
> ???= pts/ta or pts/tb or remshd
>
> What is this?

The short name such as pts/tc refers to the device file used when the user connects. Over a LAN connection, this field is not useful. It is really designed to show what serial port or modem was used for the login, but hardly anyone uses serial connections anymore. remshd means that the connection was from a remote user that used the remsh command rather than telnet.

With the lastb command, it is most useful to look at the last field (produced by the -R option) which shows what IP address or system name where the user was located.

> And it's normal that the password
> is written at the login location!,

You have discovered one of the problems with the lastb command: it reports whatthe user typed at the login prompt. Users (especially system administrators and developers) often don't pay attention to the prompts and get mixed up. Thus, they type their password when it says Login, and this is logged into /var/adm/btmp which is what lastb reports.

So to be more secure, the file: /var/adm/btmp should be set to 600 permissions.


Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.