HPE Community
Operating System - HP-UX
1843901 Members
2177 Online
110226 Solutions
New Discussion

unix account disabled

 
Sanjiv Sharma_1
Honored Contributor

‎08-18-2005 12:50 PM

‎08-18-2005 12:50 PM

unix account disabled

Hi,

HP-UX 11.11
My password policy is when a user types his password wrong for the third time then his unix account will be disabled. It has been observed that his account is getting disabled very frequently and I have to reactivate it.
This user knows the correct password and hence he is not the culprit.

Is there a way to identify who else is trying to hijack his unix account "jerry"?

Thanks in advance,
Everything is possible
0 Kudos
Reply
5 REPLIES 5
Warren_9
Honored Contributor

‎08-18-2005 01:03 PM

‎08-18-2005 01:03 PM

Re: unix account disabled

hi,

enable inetd logging:
in /etc/rc.config.d/netdaemons,
export INETD_ARGS="-l"

restart the inetd and the telnet session will then log in syslog.

compare the output of lastb and the syslog to find out from which machine try to login that account.

also, you may also need to check the su log, /var/adm/sulog.
0 Kudos
Reply
Rajeev Shukla
Honored Contributor

‎08-18-2005 01:19 PM

‎08-18-2005 01:19 PM

Re: unix account disabled

Thats right, first thing is enable the connection loging in ineted by using inetd -l command at the command prompt as root.
You should see people accessing this account, could be either telnet or ftp.
Now what i have experienced is that even if the ftp password is wrongly supplied couple of times can actually disable the account.
So see in syslog who actually is accessing this account.(you'll see the IP address or host of the culprit)
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎08-18-2005 01:26 PM

‎08-18-2005 01:26 PM

Re: unix account disabled

This is a good use of the "lastb" command. Do a "lastb -R userid" (where userid is your users id). The -R will show the IP address or system name that the invalid login attempt came from. That will allow you to get closer to who is disabling the id.


# lastb -R jerry

# man lastb

for more info.
0 Kudos
Reply
morganelan
Trusted Contributor

‎08-18-2005 02:32 PM

‎08-18-2005 02:32 PM

Re: unix account disabled

I think last -R and lastb -R command in HPUX are not enough to do:

- Monitor accounts and when users log in/out of the system.
- Monitor accounts and what creations/updates/deletions they may perform on the system.

Beside those command i think you must be helped by other tools such as :

-Openview from HP
-Big Brother http://www.bb4.org
-Sitescopes from mercury http://www.mercury.com/us/products/application-management/foundation/monitors/sitescope/



Kamal Mirdad
0 Kudos
Reply
Ranjith_5
Honored Contributor

‎08-18-2005 02:39 PM

‎08-18-2005 02:39 PM

Re: unix account disabled

Hi Raje,

lastb -R |grep will give you the details of the bad logins. These information is taken from /var/adm/btmp file. /var/adm/btmp is the bad login database file.

Regards,
Syam
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.