HPE Community
Operating System - HP-UX
1831919 Members
3276 Online
110031 Solutions
New Discussion

Trying to find IP address of server that locked account during ftp login.

 
Joe Profaizer
Super Advisor

‎05-12-2006 03:20 AM

‎05-12-2006 03:20 AM

Trying to find IP address of server that locked account during ftp login.

Is there a way to identify an IP address of the server that unsucessfully tried logging into our HPUX server and hence locked out the account. I have search syslog and other logs to no avail.

I guess I'm asking for an audit trail of unsucessful logins and also having the ability to identify the originating IP address or server that locked the respective account.

We're running HP-UX 11.11 on an L2000.

Thanks,

..Joe
0 Kudos
Reply
5 REPLIES 5
Steven E. Protter
Exalted Contributor

‎05-12-2006 03:28 AM

‎05-12-2006 03:28 AM

Re: Trying to find IP address of server that locked account during ftp login.

Shalom,

inetd -l

sets enhanced logging.

There may be a record of bad logins in /var/adm/syslog/btmp

lastb

Is the command that shows bad logins.

I don't recall if bad ftp logins log there.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Jeff_Traigle
Honored Contributor

‎05-12-2006 03:29 AM

‎05-12-2006 03:29 AM

Re: Trying to find IP address of server that locked account during ftp login.

If you have the -l option on ftpd in /etc/inetd.conf, it'll log to syslog. From there, you can see unsuccessful login attempts. It's typical in my experience that these types of problems occur because of cron jobs that have passwords in them. The password gets changed on the account and the script doesn't get updated so unsuccessful login attempts start piling up. The only way I've found to track down the server causing the problem is to watch for an occurrence in syslog. The PID of the ftpd associated with the rogue access attempt is shown there. Then, since ftpd takes a few seconds to time out from the unsuccessful login attempt, you can grep for the PID in the "ps -ef" output. (ps -ef | grep PID) The IP address making the connection is displayed there. A bit of a pain, but it works and it was the only way I found to track it down.
--
Jeff Traigle
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎05-12-2006 03:33 AM

‎05-12-2006 03:33 AM

Re: Trying to find IP address of server that locked account during ftp login.

Hi Joe,

Just start inetd with -l

/usr/sbin/inetd -l

HTH,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎05-12-2006 03:37 AM

‎05-12-2006 03:37 AM

Re: Trying to find IP address of server that locked account during ftp login.

inetd logging doesn't do you much good after the fact.

You can try a 'lastb -R ' and see if the FTP logins show up.
0 Kudos
Reply
Sheriff Andy
Trusted Contributor

‎05-12-2006 05:06 AM

‎05-12-2006 05:06 AM

Re: Trying to find IP address of server that locked account during ftp login.

Our network admins did a network intrusion test on our network without our knowledge and it locked out some of our accounts.

Way we found out was by doing the lastb -R as suggested in the earlier post. You can grep for ftp as well.

Andy
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.