Login auditing

© June 2004 Tony Lawrence

Sat Jun 19 18:51:20 2004 Login auditing

Posted by Tony Lawrence

Logging failed logins discusses some aspects of monitoring and logging login failures.

That's SCO related, but modern Windows systems can also track bad logins and incorrect password attempts.

Linux has a nice faillog command and lastb also (note that you need to create the "btmp" file first for "lastb" and faillog needs "faillog"). Neither of those record anything about ssh logins.

touch /var/log/btmp
touch /var/log/faillog
 

Faillog is a more complete management tool also.

The sshd (secure shell daemon) logs using syslog, but early versions didn't record unsuccessful logins for up to four attempts - effectively hiding password guessing attempts. Normally you'd find these in /var/log/messages and could extract them easily:

# grep "Failed password" messages
Jun 19 14:17:52 mail sshd[17194]: Failed password for tony from 64.226.42.29 port 2920
Jun 19 14:18:38 mail sshd[17199]: Failed password for tony from 64.226.42.29 port 2933
Jun 19 14:19:10 mail sshd[17249]: Failed password for tony from 64.226.42.29 port 2941
Jun 19 14:19:11 mail sshd[17249]: Failed password for tony from 64.226.42.29 port 2941



 

Unix systems usually have the ability to lock out users or terminals after so many failed login attempts. In fact, accidental lockouts come up quite often on SCO systems: Command line unlock ttys and users- user login unlock. Linux systems can do the same thing with the PAM pam_tally module: https://www.baverstock.org.uk/tim/pam/index.html

Got something to add? Send me email.

---

Have you tried Searching this site?

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us