SUMMARY: LOGIN FAILURES

From: Joe R. Jah (jjah@sol.ccsf.cc.ca.us)
Date: Sat Oct 03 1998 - 20:22:15 CDT


Hi Folks,

Many thanks to:

Craig Mertens <craig@synapse-group.com>
Matthew Stier <Matthew.Stier@tddny.fujitsu.com>
Rik Schneider <rik@netasset.com>
Jeffrey B. Davis <jeff@nationwide.net>
Erwin Fritz <efritz@glja.com>
dennis_keller@smtp.ddc.dla.mil
Benjamin Cline <benji@hnt.com>
Michael Cook <mcook@uswest.com>
Brion Leary <brion@dia.state.ma.us>
Sabrina Downard <sabrina@wwa.com>
Simon-Bernard Drolet <Simon-Bernard.Drolet@M3iSystems.com>
Jamie Lawrence <jal@ThirdAge.com>

The majority suggested using 'loginlog' and that's what I chose to use.

'man failedlogin' was suggested, but it doesn't exist on my system,
Solaris 2.5. Creation of a file called /var/adm/failedlogin was
suggested; I tried it and didn't observe anything in it. Editing
/etc/syslog.conf was suggested; I tried it and HUPed syslogd, but
did not observe any difference. Installing tcp_wrappers and logdaemon was
suggested.

The following are some of the suggestions and my original message:

Date: Fri, 25 Sep 1998 17:32:04 -0700 (PDT)
From: Rik Schneider <rik@netasset.com>

You can add a line to your /etc/syslog.conf:

auth.notice /var/adm/secure

Notes
1. The white-space on the line MUST be tabs.
2. You can use info or debug in place of notice in the above line if you
    need more information from the auth facility.
3. You can change the name or location of the file to whatever suits your
    needs/taste. See syslog.conf(4) for more information.
4. Due to the sensitive nature of this file's contents I stongly urge you
    to create this file by hand and set permissions accordingly (600 is
    about right).

Date: Sat, 26 Sep 98 08:55:15 -0800
From: dennis_keller@smtp.ddc.dla.mil

     Joe,
        Yes, if you have ASET installed. Look in /usr you should see a
     directory /aset. If that is not installed look for SUNWast. ASET can
     be ran interactively from time to time or can be set up in cron to run
     automatically at intervals you set. Everything is logged under
     /usr/aset (default). I redirect the reports to another filesystem.
     It's basically a C2 enhancement security program used to harden the
     OS.

Date: Mon, 28 Sep 1998 10:34:34 -0400 (EDT)
From: Benjamin Cline <benji@hnt.com>

Have a look at the man page for loginlog(4). It's not as good as what BSDI
offers, but it's a start. For something beyond that, you may want to look
at tcpwrappers, which would let you log the host originating the
coneection.

Date: Mon, 28 Sep 1998 12:48:47 -0400
From: Simon-Bernard Drolet <Simon-Bernard.Drolet@M3iSystems.com>

Hi,

If you look at the man page of "login(1)", there is paragraph detailing
exactly what you're looking for:

     If you make any mistake in the login procedure, the message:

               Login incorrect

     is printed and a new login prompt will appear. If you make
     five incorrect login attempts, all five may be logged in
     /var/adm/loginlog, if it exists. The TTY line will be
     dropped.

Original message:

> I run Solaris as well as BSDI on a few servers. When I get repeated login
> failures on BSDI the information about the origin of the connection and
> the user account attempted are logged in /var/log/secure file. Is there a
> similar file logged on Solaris?

Joe

     _/ _/_/_/ _/ ____________ __o
     _/ _/ _/ _/ ______________ _-\<,_
 _/ _/ _/_/_/ _/ _/ ......(_)/ (_)
  _/_/ oe _/ _/. _/_/ ah jjah@sol.ccsf.cc.ca.us



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:50 CDT