Solaris logs - Tracking failed attempts from my host


Login or Register for Dates, Times and to Reply

 
Thread Tools Search this Thread
Operating Systems Solaris Solaris logs - Tracking failed attempts from my host
# 1  
Solaris logs - Tracking failed attempts from my host

Hey all I'm having a big problem here. Someone is attempting an SSH to a destination host on which an account resides and locking the account. I'm trying to determine who is performing the SSH attempts from my host. For instance they're logged in as their standard account but then (I'm assuming) they're performing something like:
Code:
ssh locked_account@destination_host

where locked_account is the system account in question and after 9 tries with the wrong password it locks the account on the destination host. We know the failed attempts are coming from my host but not sure who is executing that command.

I checked /var/adm/sulog which doesn't show anyone performing su access to this system (functional - it's not bin or sys or anything like that) account. Is there a way to determine if someone executes the aforementioned SSH attempt? I was thinking their bash_history but some are using ksh and don't have history enabled. I'm using SunOS 5.10.

Last edited by jim mcnamara; 01-22-2012 at 10:40 AM.. Reason: moved to Solaris
# 2  
bump ?
# 3  
Try running this DTrace one-liner:
Code:
nohup dtrace -n 'syscall::connect:entry/execname=="ssh"/{printf ("uid: %d, command: %s,uid,curpsinfo->pr_psargs)}' > /var/adm/ssh_logins &

In the "/var/adm/ssh_logins" you will find all the executions of SSH done from your server with UIDs of the users running them. You should be able to easily grep the line that you need. After you have identified that user, you can kill dtrace process.

Last edited by bartus11; 01-22-2012 at 10:38 AM..
# 4  
Quote:
Originally Posted by bartus11
Try running this DTrace one-liner:
Code:
nohup dtrace -n 'syscall::connect:entry/execname=="ssh"/{printf ("uid: %d, command: %s,uid,curpsinfo->pr_psargs)}' > /var/adm/ssh_logins &

In the "/var/adm/ssh_logins" you will find all the executions of SSH done from your server with UIDs of the users running them. You should be able to easily grep the line that you need. After you have identified that user, you can kill dtrace process.
Thank you so much! This looks like what I need but unfortunately it requires root permissions which I do not have Smilie Anyway I have suexec permissions with grep...any way I can accomplish this with grep? I'm not familiar with dtrace but after googling it it appears to be rather complex...so I'm guessing I'd probably have to do much more than grepping to find this information?
# 5  
I found character missing in this code. Working version is:
Code:
nohup dtrace -n 'syscall::connect:entry/execname=="ssh"/{printf ("uid: %d, command: %s",uid,curpsinfo->pr_psargs)}' > /var/adm/ssh_logins &

I would ask for your system administrator to run this code. After he does that, in /var/adm/ssh_logins lines like that will appear when someone executes ssh command:
Code:
  0   4334                    connect:entry uid: 54321, command: ssh root@localhost
  0   4334                    connect:entry uid: 0, command: ssh locked_account@localhost

On the right side of the file you will find uid of the user that executed ssh command (red) and where he wanted to connect (blue). You can then grep account/host information from that file. I hope this explanation makes it clearer...
# 6  
I'll see what I can do. Thank you so much for replying - this really looks good. Unfortunately I don't have root access and I have to open a ticket in order to have the SA do that and I'm not even sure why I needed this in the first place so I'm not sure I can justify this request or if they'll even run it. I tried myself - here is the contents of nohup.out Smilie

dtrace: failed to initialize dtrace: DTrace requires additional privileges

I'll see if I can get in touch with an SA and see if I can get a glimpse of a sample. In any event I appreciate your help as I had never heard of the dtrace programme until now - and I see there's even a long google video on it.

One other thing...a similar command for Linux ? Also, is this dtrace feature realtime or can you search past logs?

Last edited by MaindotC; 01-23-2012 at 05:02 PM..
# 7  
Sorry for late reply, but I didn't notice your post edit. I don't know of any Linux equivalent for the DTrace. As for your second question: data will be recorded in real-time to the log file - /var/adm/ssh_logins (similar to the way syslog is writing messages to /var/adm/messages). So you will be able to browse past logs in a same way you can do it with any other log Smilie
Login or Register for Dates, Times and to Reply

Previous Thread | Next Thread
Thread Tools Search this Thread
Search this Thread:
Advanced Search

Test Your Knowledge in Computers #525
Difficulty: Medium
In ASCII, to convert between uppercase and lowercase versions, you only need to invert the second bit (0 for uppercase, 1 for lowercase).
True or False?

8 More Discussions You Might Find Interesting

1. Cybersecurity

Failed SSHD Login Attempts (15,000 per day) - Is that a lot compared to your server?

The purpose of this thread is for everyone to follow the same methodology so we can create a future table, for the benefit of all, that shows how many failed login attempts (hacking) per day per server (and per minute) are happening. This is not a thread on writing scripts or creating... (10 Replies)
Discussion started by: Neo
10 Replies

2. Solaris

Need to recover/move diskgroup from failed host to another host

Hi All I am having VxVm on two Solaris hosts. host1 is using disk group dgHR. right now this server went down due to hardware fault. Not I need to import this dgHR into host2 server. Please let me know the procedure for the same. (1 Reply)
Discussion started by: amity
1 Replies

3. Shell Programming and Scripting

Job tracking in logs

I have two log files from two different days and some jobs start on one day and finish on the next. I also have jobs that start and then don't finish until other jobs start and finish. I'm trying to create a csv file with job name, start time and end time in the order that the jobs started. ... (2 Replies)
Discussion started by: wawa
2 Replies

4. UNIX for Dummies Questions & Answers

TCP failed connection attempts from netstat -s

Dear experts, I am seeing a lot of TCP failed connection attempts from "netstat -s" on one of our servers. How can I pin point what connection failed and what are the ports involved? Any tools/commands I can dig in deeper to diag. what went wrong on these "failed connection attempts"? ... (2 Replies)
Discussion started by: cache51
2 Replies

5. Shell Programming and Scripting

Another question for tracking failed logins via script

Hello Experts, I have this initial shell script that tracks failed login attempts: #!/bin/bash #Fetch failed user logins to file failed-logins.txt grep -i failed /var/log/secure | awk '{ print $1, $2" ", $3" ", $9" ", $11 }' > failed-logins.txt #Splitting the failed-logins in... (10 Replies)
Discussion started by: linuxgeek
10 Replies

6. Shell Programming and Scripting

Create a script that executes when a user attempts to delete history logs

Hi, I have a linux redhat 9 server and I am concerned about the security on that server. I would like to be able to write a script that records all the commands that were typed at the command prompt before the user calls the 'history -c' command and deletes all the history. I was thinking about... (4 Replies)
Discussion started by: mishkamima
4 Replies

7. AIX

ftp check for failed attempts

Hi, I have created the below ftp script to put files over to our capacity server, the check at the end works if ftp fails to run however if the script cannot login or the transfer itself failed there is no warnings. Does anyone know the syntax to trap the erorr codes or to put a check within... (3 Replies)
Discussion started by: chlawren
3 Replies

8. AIX

Denying IPaddress for Multiple Failed Login Attempts

Hi. I would like to be able to deny IP address for too many failed login attemps (either from ssh, sftp, ftp, etc). The system I wish this to work on is an AIX 5.1 system. I'm new to AIX but I'm a linux user. There is a program for linux called fail2ban which reads from the log files and see if... (1 Reply)
Discussion started by: metzgerh
1 Replies

Featured Tech Videos