Sat Jun 19 18:51:20 2004 Login auditing
Posted by Tony Lawrence
Logging failed logins discusses some aspects of monitoring and logging login failures.
That's SCO related, but modern Windows systems can also track bad logins and incorrect password attempts.
Linux has a nice faillog command and lastb also (note that you need to create the "btmp" file first for "lastb" and faillog needs "faillog"). Neither of those record anything about ssh logins.
touch /var/log/btmp touch /var/log/faillog
Faillog is a more complete management tool also.
The sshd (secure shell daemon) logs using syslog, but early versions didn't record unsuccessful logins for up to four attempts - effectively hiding password guessing attempts. Normally you'd find these in /var/log/messages and could extract them easily:
# grep "Failed password" messages Jun 19 14:17:52 mail sshd[17194]: Failed password for tony from 64.226.42.29 port 2920 Jun 19 14:18:38 mail sshd[17199]: Failed password for tony from 64.226.42.29 port 2933 Jun 19 14:19:10 mail sshd[17249]: Failed password for tony from 64.226.42.29 port 2941 Jun 19 14:19:11 mail sshd[17249]: Failed password for tony from 64.226.42.29 port 2941
Unix systems usually have the ability to lock out users or
terminals after so many failed login attempts. In fact, accidental
lockouts come up quite often on SCO systems: Command line unlock ttys and users- user login unlock. Linux systems can do the same
thing with the PAM pam_tally module: https://www.baverstock.org.uk/tim/pam/index.html
Got something to add? Send me email.
More Articles by Tony Lawrence © 2009-11-07 Tony Lawrence
The people I distrust most are those who want to improve our lives but have only one course of action in mind. (Frank Herbert)
Printer Friendly Version
Login auditing Copyright © June 2004 Tony Lawrence
Have you tried Searching this site?
This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.
Contact us
Printer Friendly Version