HPE GreenLake Administration
- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Trap 5 Consecutive Unsuccessful LOGIN Attempts
Operating System - HP-UX
1832983
Members
2477
Online
110048
Solutions
Forums
Categories
Company
Local Language
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-08-2001 10:56 PM
08-08-2001 10:56 PM
Trap 5 Consecutive Unsuccessful LOGIN Attempts
We are having this security issue
wherein - we have to alert the SA -
if a user tries five consecutive
unsuccessful login attempts during a
single session.
This has to be done WITHOUT using SAM,
through unix scripts.
OS - HP UX 10.2.
Moreover this is a Tier1/ Tier2 Architecture.
wherein - we have to alert the SA -
if a user tries five consecutive
unsuccessful login attempts during a
single session.
This has to be done WITHOUT using SAM,
through unix scripts.
OS - HP UX 10.2.
Moreover this is a Tier1/ Tier2 Architecture.
7 REPLIES 7
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-09-2001 12:28 AM
08-09-2001 12:28 AM
Re: Trap 5 Consecutive Unsuccessful LOGIN Attempts
Hi,
You don't say whether your system is trusted or not.
If it is trusted you can have the unsuccessful
lohgin attempts set to 5 and then the account will be disabled and the user will not be able to login at all. To find out how many sessions have been unsuccessful you would use the 'lastb' command. You could do this daily or hourly at your own discretion.
This command works whether the system is trusted or not.
One other way could be to write a script which uses the output of the /usr/lbin/getprpw -m
This will provide in field 4 a value of 1 (I think)that means "exceeding unsuccessful login attempts"
HTH
-Michael
You don't say whether your system is trusted or not.
If it is trusted you can have the unsuccessful
lohgin attempts set to 5 and then the account will be disabled and the user will not be able to login at all. To find out how many sessions have been unsuccessful you would use the 'lastb' command. You could do this daily or hourly at your own discretion.
This command works whether the system is trusted or not.
One other way could be to write a script which uses the output of the /usr/lbin/getprpw -m
This will provide in field 4 a value of 1 (I think)that means "exceeding unsuccessful login attempts"
HTH
-Michael
Anyone for a Mutiny ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-09-2001 07:40 AM
08-09-2001 07:40 AM
Re: Trap 5 Consecutive Unsuccessful LOGIN Attempts
Hey Prasad,
I wrote a script that I think will work for you. It shows the users that have more than $LIMIT attempted logins on the current date. If you want it to check on yesterdays date, you'd have to change CURRDATE to:
YDATE=`TZ=$(date +%Z)+24 date "+%a %b %e"`
Also, make sure you change all references from CURRDATE to YDATE if you do that. Anyway, here is the script:
CURRDATE=`date +"%a %b %e"`
LIMIT=5
lastb | head -100 | grep "$CURRDATE" | sort | cut -f1 -d" " > /tmp/badlog.tmp
while read LINE
do
if [ $LINE != ${LASTLINE:=null} ]
then
BADCOUNT=`cat /tmp/badlog.tmp | grep $LINE | wc -l`
BADLIST=`echo "$LINE $BADCOUNT"`
LASTLINE=$LINE
if [ $BADCOUNT -ge $LIMIT ]
then
echo $BADLIST
fi
fi
done < /tmp/badlog.tmp
One last note. Lastb will show you all the bad logins, regardless of year. Unfortunately, I don't know of a way to distinguish between the different years in lastb (it doesn't show the year). So, to get around this, I only took the first 100 lines of the lastb output. You may have to change this if it is not enough for your environment.
Oh yeah, this is for a non-trusted system. For a trusted system, follow Michael's advice.
I hope this helps,
Jared
I wrote a script that I think will work for you. It shows the users that have more than $LIMIT attempted logins on the current date. If you want it to check on yesterdays date, you'd have to change CURRDATE to:
YDATE=`TZ=$(date +%Z)+24 date "+%a %b %e"`
Also, make sure you change all references from CURRDATE to YDATE if you do that. Anyway, here is the script:
CURRDATE=`date +"%a %b %e"`
LIMIT=5
lastb | head -100 | grep "$CURRDATE" | sort | cut -f1 -d" " > /tmp/badlog.tmp
while read LINE
do
if [ $LINE != ${LASTLINE:=null} ]
then
BADCOUNT=`cat /tmp/badlog.tmp | grep $LINE | wc -l`
BADLIST=`echo "$LINE $BADCOUNT"`
LASTLINE=$LINE
if [ $BADCOUNT -ge $LIMIT ]
then
echo $BADLIST
fi
fi
done < /tmp/badlog.tmp
One last note. Lastb will show you all the bad logins, regardless of year. Unfortunately, I don't know of a way to distinguish between the different years in lastb (it doesn't show the year). So, to get around this, I only took the first 100 lines of the lastb output. You may have to change this if it is not enough for your environment.
Oh yeah, this is for a non-trusted system. For a trusted system, follow Michael's advice.
I hope this helps,
Jared
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-09-2001 08:30 AM
08-09-2001 08:30 AM
Re: Trap 5 Consecutive Unsuccessful LOGIN Attempts
Thanks Michael and Jared for your recommendations.
One of the questions i have for u is that - how do i find out whether my system is trusted or not?
Moreover, i have to find the best and most efficient solution which will not be an overhead to the system. Our HP UX platform has around 12,000 users across 66 centers - so volume is high.
Thanks,
Prasad.
One of the questions i have for u is that - how do i find out whether my system is trusted or not?
Moreover, i have to find the best and most efficient solution which will not be an overhead to the system. Our HP UX platform has around 12,000 users across 66 centers - so volume is high.
Thanks,
Prasad.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-09-2001 09:27 AM
08-09-2001 09:27 AM
Re: Trap 5 Consecutive Unsuccessful LOGIN Attempts
Hello again Prasad,
I'm not sure about testing if your system is trusted or not, but I believe that if you type in the "audsys" command with no parameters it will tell you. To my understanding, if this returns a status of on, then your system has to be trusted. But, I'm no expert on trusted systems. I've never had one.
As far as impact to the system, the script I wrote should have very litte impact. When I ran it using time, I got 0.2 seconds Real time, with 0.1 seconds system time. This will, of course, vary depending on your system. Give it a try on your test system using the time command to see how long it runs on your system.
I would just set this script up in a cron job that runs once an hour during working hours. It would automatically email the cron owner if it returns anything, or you could modify it to send the results via a different method. Or, have it write to a file that you check every so often. Anyway you do it, it should have little impact.
Regards,
Jared
I'm not sure about testing if your system is trusted or not, but I believe that if you type in the "audsys" command with no parameters it will tell you. To my understanding, if this returns a status of on, then your system has to be trusted. But, I'm no expert on trusted systems. I've never had one.
As far as impact to the system, the script I wrote should have very litte impact. When I ran it using time, I got 0.2 seconds Real time, with 0.1 seconds system time. This will, of course, vary depending on your system. Give it a try on your test system using the time command to see how long it runs on your system.
I would just set this script up in a cron job that runs once an hour during working hours. It would automatically email the cron owner if it returns anything, or you could modify it to send the results via a different method. Or, have it write to a file that you check every so often. Anyway you do it, it should have little impact.
Regards,
Jared
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-09-2001 10:40 AM
08-09-2001 10:40 AM
Re: Trap 5 Consecutive Unsuccessful LOGIN Attempts
YOu can check to see if your system is trusted by just looking to see if you have a /tcb directory on your system and if there is anything in it. When the system is trusted, the /tcb directory structure is created and this is where the password information for all users is kept.
There is really no easy way that I know of to notify the SA if there are X number of incorrect login attempts in one session. If your system is trusted, as said above, you can set all users accounts to be disabled after 5 unsuccessful login attempts, but there is no way to notify the SA other than the phone calls you will receive after the users account is disabled.
There is really no easy way that I know of to notify the SA if there are X number of incorrect login attempts in one session. If your system is trusted, as said above, you can set all users accounts to be disabled after 5 unsuccessful login attempts, but there is no way to notify the SA other than the phone calls you will receive after the users account is disabled.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-09-2001 05:18 PM
08-09-2001 05:18 PM
Re: Trap 5 Consecutive Unsuccessful LOGIN Attempts
The easiest to tell if your system is trusted is:
/usr/lbin/modprpw
It will state either: System is not trusted.
or it will givea Usage statement. The return code will be 5 (not trusted) or 2 (not enough parameters).
For non-trusted systems, just use the lastb command. Note: the terminology 5 times in one session doesn't mean a lot...there is no session until the user actually logs in. What you may mean is the duration of a telnet connection which can't be directly monitored. However, you can use the lastb command as in:
lastb -R
Use the timestamp to determine if the retries occur within a shoert time. Note that the log for lastb is not cleaned automatically so there may be very old entries. You'll need to cycle the logs /var/adm/btmp and also /var/adm/btmp.
Bill Hassell, sysadmin
/usr/lbin/modprpw
It will state either: System is not trusted.
or it will givea Usage statement. The return code will be 5 (not trusted) or 2 (not enough parameters).
For non-trusted systems, just use the lastb command. Note: the terminology 5 times in one session doesn't mean a lot...there is no session until the user actually logs in. What you may mean is the duration of a telnet connection which can't be directly monitored. However, you can use the lastb command as in:
lastb -R
Use the timestamp to determine if the retries occur within a shoert time. Note that the log for lastb is not cleaned automatically so there may be very old entries. You'll need to cycle the logs /var/adm/btmp and also /var/adm/btmp.
Bill Hassell, sysadmin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-10-2001 04:54 AM
08-10-2001 04:54 AM
Re: Trap 5 Consecutive Unsuccessful LOGIN Attempts
Hi Prasad,,
TO find out whether Ur system is trusted
or not then
* Check whether U have /tcb directory..
* Yes giving audsys command is going to give
U whether the system is trusted or not.
* also in /etc/passwd the password field
wont be there..it should have been replaced
with "*" asterik..
* To trap the number of unsuc..attempts
then U are going to go for "lastb" and setup
a script..
* or use /usr/sbin/fwtmp to create an
ascii version of /var/adm/btmp..I am not sure
of this..but U can try..
* then U can set the defaults in
/tcb/files/auth/defaults.
where U can specify how many bad login
attempts to disable the user..
Hope this helps U out
Sundar
TO find out whether Ur system is trusted
or not then
* Check whether U have /tcb directory..
* Yes giving audsys command is going to give
U whether the system is trusted or not.
* also in /etc/passwd the password field
wont be there..it should have been replaced
with "*" asterik..
* To trap the number of unsuc..attempts
then U are going to go for "lastb" and setup
a script..
* or use /usr/sbin/fwtmp to create an
ascii version of /var/adm/btmp..I am not sure
of this..but U can try..
* then U can set the defaults in
/tcb/files/auth/defaults.
where U can specify how many bad login
attempts to disable the user..
Hope this helps U out
Sundar
Learn What to do ,How to do and more importantly When to do ?
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Events and news
Customer resources
© Copyright 2025 Hewlett Packard Enterprise Development LP