invalid login attempts...

mr_manny · #1 (**permalink**) 11-28-2005

I am wondering if solaris captures id's associated w/invalid login attempts?

when I try to login as "test1" several (3-5) times, I do not find any userID info under "/var/adm" files:
utmpx
wtmpx
messages
lastlog

Is there another location/log I should be checking?
Is it necessary for "test1" to exist in /etc/passwd before this information is captured?

thanks,
manny

BOFH · #2 (**permalink**) 11-28-2005

Set the auth.info facility.level in /etc/syslog.conf and point it to a log (/var/log/authlog for example). Ensure the log file exists. Restart syslog and attempt the log in.

Code:

Nov 28 20:20:43 goblin sshd[519]: [ID 800047 auth.info] input_userauth_request: illegal user carlschelin
Nov 28 20:20:43 goblin sshd[519]: [ID 800047 auth.info] Failed none for NOUSER from 192.168.1.9 port 51025 ssh2
Nov 28 20:20:43 goblin sshd[519]: [ID 800047 auth.info] Failed publickey for NOUSER from 192.168.1.9 port 51025 ssh2
Nov 28 20:20:44 goblin sshd[519]: [ID 800047 auth.info] Failed password for NOUSER from 192.168.1.9 port 51025 ssh2
Nov 28 20:20:45 goblin last message repeated 2 times
Nov 28 20:20:45 goblin sshd[519]: [ID 800047 auth.info] Connection closed by 192.168.1.9

Carl

mr_manny · #3 (**permalink**) 11-29-2005

I have updated my syslog.conf with the following auth.x entries (and cycled syslogd) :
auth.notice;auth.crit;auth.info /var/log/authlog

I see that login failure information is being captured, but the ID (or even a Generic ID) is NOT...

Nov 29 08:03:31 testBOX.com login: [ID 143248 auth.notice] Login failure on /dev/pts/2 from mybox.com
Nov 29 08:03:38 testBOX.com last message repeated 1 time
Nov 29 08:03:42 testBOX.com login: [ID 760094 auth.crit] REPEATED LOGIN FAILURES ON /dev/pts/2 FROM mybox.com
Nov 29 08:06:48 testBOX.com login: [ID 143248 auth.notice] Login failure on /dev/pts/2 from mybox.com
Nov 29 08:06:55 testBOX.com last message repeated 1 time
Nov 29 08:06:59 testBOX.com login: [ID 760094 auth.crit] REPEATED LOGIN FAILURES ON /dev/pts/2 FROM mybox.com
Nov 29 08:19:21 testBOX.com login: [ID 143248 auth.notice] Login failure on /dev/pts/2 from mybox.com
Nov 29 08:19:26 testBOX.com last message repeated 1 time
Nov 29 08:19:30 testBOX.com login: [ID 760094 auth.crit] REPEATED LOGIN FAILURES ON /dev/pts/2 FROM mybox.com

Also, does anyone know where I can get a list of valid facilities?
wondering what other options are out there...
thanks

BOFH · #4 (**permalink**) 11-30-2005

Quote:

Originally Posted by mr_manny

I have updated my syslog.conf with the following auth.x entries (and cycled syslogd) :
auth.notice;auth.crit;auth.info /var/log/authlog

I see that login failure information is being captured, but the ID (or even a Generic ID) is NOT...

Nov 29 08:03:31 testBOX.com login: [ID 143248 auth.notice] Login failure on /dev/pts/2 from mybox.com
Nov 29 08:03:38 testBOX.com last message repeated 1 time
Nov 29 08:03:42 testBOX.com login: [ID 760094 auth.crit] REPEATED LOGIN FAILURES ON /dev/pts/2 FROM mybox.com
Nov 29 08:06:48 testBOX.com login: [ID 143248 auth.notice] Login failure on /dev/pts/2 from mybox.com
Nov 29 08:06:55 testBOX.com last message repeated 1 time
Nov 29 08:06:59 testBOX.com login: [ID 760094 auth.crit] REPEATED LOGIN FAILURES ON /dev/pts/2 FROM mybox.com
Nov 29 08:19:21 testBOX.com login: [ID 143248 auth.notice] Login failure on /dev/pts/2 from mybox.com
Nov 29 08:19:26 testBOX.com last message repeated 1 time
Nov 29 08:19:30 testBOX.com login: [ID 760094 auth.crit] REPEATED LOGIN FAILURES ON /dev/pts/2 FROM mybox.com

Also, does anyone know where I can get a list of valid facilities?
wondering what other options are out there...
thanks

man syslogd.conf will show the list of valid facilities and levels.

Don't know why login doesn't report the name. It's clear that sshd does though.

Carl

mr_manny · #5 (**permalink**) 11-30-2005

It looks like the ID is captured from invalid ssh attempts, but NOT regular telnet attempts:

messages from telnet attempts as "test1" in authlog:
Nov 30 12:02:31 SERVER.x.com login: [ID 143248 auth.notice] Login failure on /dev/pts/3 from myBOX.com
Nov 30 12:02:38 SERVER.x.com last message repeated 1 time
Nov 30 12:02:42 SERVER.x.com login: [ID 760094 auth.crit] REPEATED LOGIN FAILURES ON /dev/pts/3 FROM myBOX.com

messages from ssh attempts as "test1" in authlog:
Nov 30 12:03:11 SERVER.x.com sshd[1473]: [ID 800047 auth.info] Illegal user test1 from myBOX.com
Nov 30 12:03:11 SERVER.x.com sshd[1473]: [ID 800047 auth.info] input_userauth_request: illegal user test1
Nov 30 12:03:11 SERVER.x.com sshd[1473]: [ID 800047 auth.info] Failed none for <invalid username> from myBOX.com port
35543 ssh2
Nov 30 12:03:11 SERVER.x.com sshd[1473]: [ID 800047 auth.info] Failed gssapi-with-mic for <invalid username> from myB
OX.com port 35543 ssh2
Nov 30 12:03:11 SERVER.x.com last message repeated 1 time
Nov 30 12:03:11 SERVER.x.com sshd[1473]: [ID 800047 auth.info] Failed publickey for <invalid username> from myBOX.com
port 35543 ssh2
Nov 30 12:03:13 SERVER.x.com sshd[1473]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[13] while a
uthenticating: No account present for user
Nov 30 12:03:13 SERVER.x.com sshd[1473]: [ID 800047 auth.info] Failed keyboard-interactive for <invalid username> fro
m myBOX.com port 35543 ssh2
Nov 30 12:03:20 SERVER.x.com sshd[1473]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[13] while a
uthenticating: No account present for user
Nov 30 12:03:20 SERVER.x.com sshd[1473]: [ID 800047 auth.info] Failed keyboard-interactive for <invalid username> fro
m myBOX.com port 35543 ssh2
Nov 30 12:03:20 SERVER.x.com sshd[1473]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[13] while a
uthenticating: No account present for user
Nov 30 12:03:20 SERVER.x.com sshd[1473]: [ID 800047 auth.info] Failed keyboard-interactive for <invalid username> fro
m myBOX.com port 35543 ssh2
Nov 30 12:03:20 SERVER.x.com sshd[1473]: [ID 800047 auth.info] Connection closed by myBOX.com

Carl, thanks again for the info...
manny

mr_manny · #6 (**permalink**) 12-01-2005

Invalid ssh connections are captured in /var/log/authlog (see above - from /etc/syslog.conf).
and
Invalid telnet connections are captured in /var/adm/loginlog?
# cat loginlog
test1:/dev/pts/2:Thu Dec 1 09:02:27 2005
test1:/dev/pts/2:Thu Dec 1 09:02:32 2005
test1:/dev/pts/2:Thu Dec 1 09:02:40 2005

Does anyone ever update there syslog.conf to consolidate this info into a single file?

More UNIX and Linux Forum Topics You Might Find Helpful
Thread	Thread Starter	Forum	Replies	Last Post
Number of login attempts on solaris 10	manoj.solaris	SUN Solaris	2	08-11-2007 01:06 PM
AIX; Auto clearing of 'too many invalid login attempts by user'	Keith Johnson	AIX	0	01-02-2007 03:54 PM
Denying IPaddress for Multiple Failed Login Attempts	metzgerh	AIX	1	12-13-2006 04:13 PM
AIX logon attempts	eysheikah	Security	0	06-20-2003 10:24 AM
Maximum 3 login attempts	champion	UNIX for Advanced & Expert Users	2	01-16-2003 09:17 PM

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes	Rate This Thread
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode	Rate This Thread:


	Powered by