# # Login auditing
APLawrence.com - Resources for Unix and Linux Systems, Bloggers and the self-employed

Login auditing

I've removed advertising from most of this site and will eventually clean up the few pages where it remains.

While not terribly expensive to maintain, this does cost me something. If I don't get enough donations to cover that expense, I will be shutting the site down in early 2020.

If you found something useful today, please consider a small donation.



Some material is very old and may be incorrect today

© June 2004 Tony Lawrence

Sat Jun 19 18:51:20 2004 Login auditing

Posted by Tony Lawrence

Logging failed logins discusses some aspects of monitoring and logging login failures.

That's SCO related, but modern Windows systems can also track bad logins and incorrect password attempts.

Linux has a nice faillog command and lastb also (note that you need to create the "btmp" file first for "lastb" and faillog needs "faillog"). Neither of those record anything about ssh logins.

touch /var/log/btmp
touch /var/log/faillog

Faillog is a more complete management tool also.

The sshd (secure shell daemon) logs using syslog, but early versions didn't record unsuccessful logins for up to four attempts - effectively hiding password guessing attempts. Normally you'd find these in /var/log/messages and could extract them easily:



# grep "Failed password" messages
Jun 19 14:17:52 mail sshd[17194]: Failed password for tony from 64.226.42.29 port 2920
Jun 19 14:18:38 mail sshd[17199]: Failed password for tony from 64.226.42.29 port 2933
Jun 19 14:19:10 mail sshd[17249]: Failed password for tony from 64.226.42.29 port 2941
Jun 19 14:19:11 mail sshd[17249]: Failed password for tony from 64.226.42.29 port 2941

Unix systems usually have the ability to lock out users or terminals after so many failed login attempts. In fact, accidental lockouts come up quite often on SCO systems: Command line unlock ttys and users- user login unlock. Linux systems can do the same thing with the PAM pam_tally module: http://www.baverstock.org.uk/tim/pam/index.html

If you found something useful today, please consider a small donation.



Got something to add? Send me email.





(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

->
-> Login auditing


Inexpensive and informative Apple related e-books:

Take Control of Preview

Take Control of High Sierra

Sierra: A Take Control Crash Course

Take Control of Parallels Desktop 12

Take Control of OS X Server





More Articles by © Tony Lawrence




Printer Friendly Version

Have you tried Searching this site?

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us


Printer Friendly Version





The people I distrust most are those who want to improve our lives but have only one course of action in mind. (Frank Herbert)




Linux posts

Troubleshooting posts


This post tagged:

Blog

Security



Unix/Linux Consultants

Skills Tests

Unix/Linux Book Reviews

My Unix/Linux Troubleshooting Book

This site runs on Linode