APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

Login auditing

© June 2004 Tony Lawrence

Sat Jun 19 18:51:20 2004 Login auditing

Posted by Tony Lawrence

Logging failed logins discusses some aspects of monitoring and logging login failures.

That's SCO related, but modern Windows systems can also track bad logins and incorrect password attempts.

Linux has a nice faillog command and lastb also (note that you need to create the "btmp" file first for "lastb" and faillog needs "faillog"). Neither of those record anything about ssh logins.

touch /var/log/btmp
touch /var/log/faillog

Faillog is a more complete management tool also.

The sshd (secure shell daemon) logs using syslog, but early versions didn't record unsuccessful logins for up to four attempts - effectively hiding password guessing attempts. Normally you'd find these in /var/log/messages and could extract them easily:

# grep "Failed password" messages Jun 19 14:17:52 mail sshd[17194]: Failed password for tony from port 2920 Jun 19 14:18:38 mail sshd[17199]: Failed password for tony from port 2933 Jun 19 14:19:10 mail sshd[17249]: Failed password for tony from port 2941 Jun 19 14:19:11 mail sshd[17249]: Failed password for tony from port 2941

Unix systems usually have the ability to lock out users or terminals after so many failed login attempts. In fact, accidental lockouts come up quite often on SCO systems: Command line unlock ttys and users- user login unlock. Linux systems can do the same thing with the PAM pam_tally module: https://www.baverstock.org.uk/tim/pam/index.html

Got something to add? Send me email.

(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> Login auditing

Inexpensive and informative Apple related e-books:

Take Control of Preview

Take Control of High Sierra

Sierra: A Take Control Crash Course

Take Control of Parallels Desktop 12

Take Control of OS X Server

More Articles by © Tony Lawrence

Printer Friendly Version

Have you tried Searching this site?

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us

Printer Friendly Version

The people I distrust most are those who want to improve our lives but have only one course of action in mind. (Frank Herbert)

Linux posts

Troubleshooting posts

This post tagged:



Unix/Linux Consultants

Skills Tests

Unix/Linux Book Reviews

My Unix/Linux Troubleshooting Book

This site runs on Linode