• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 463
  • Last Modified:

Linux Logging - User Login Attempts

Hello,
  Over the last several days, I have had a hacker breach security on a linux box and use it as a mail relay.  I found out how he did it, the news account was left open for all to see.  What I was wanting to know is this:

Does linux log all login attempts? Where?

When it logs these attempts, does it log the IP address that the attempt was coming from?  Where?

If not.. how can I make it do these things.


Thanks!

0
kittlej
Asked:
kittlej
  • 4
  • 3
  • 2
  • +2
1 Solution
 
jyu_88Commented:
use the command 'last' to check users login history (telnet, ftp, ssh, etc.) since last reboot. It is parsing /var/log/wtmp.
jyu      ftp          bac.bogus.com Thu Mar  2 18:30 - 18:31  (00:00)    
jyu      ftp          bac.bogus.com Thu Mar  2 18:30 - 18:30  (00:00)    
jyu      ftp          bac.bogus.com Thu Mar  2 18:28 - 18:29  (00:01)    
jyu      ftp          bogus.bogus.co Thu Mar  2 18:07 - 18:07  (00:00)    
jyu      pts/1        bogus.remote.com. Thu Mar  2 17:45 - 17:48  (00:02)    
jyu      pts/0        server1.bogus.com Thu Mar  2 16:53 - 18:38  (01:44)    
..................morehere.............
0
 
kittlejAuthor Commented:
What about failed attempts?
0
 
kittlejAuthor Commented:
What about failed attempts?
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
jlevieCommented:
Syslog logs all login access, successful and failed attempts in the /var/log/message* files. Failed sessions show the username tried and the reason for failure. Since the syslog data goes back further in time, it's a better way of lookin at access, but it won't give you the remote IP.
0
 
kittlejAuthor Commented:
But is there a way that I can set it up so that every login attempt - successful or failed - is logged to a file with the ip address of the user?
0
 
jlevieCommented:
I don't think so with native facilities, but I'll see what I can find for you.
0
 
bernardhCommented:
i'm not sure if linux has some kind of utility like iptrace/ipreport of aix but  there is a linux utility from
www.bandmin.org called bandmin that i believe does ip tracing. check it out.
0
 
bernardhCommented:
by the way, have you tried the lastlog command? it shows what username was used, the port number as well as the hostname of the culprit, try it.
0
 
stefanxCommented:
For telnet attempts, just grep telnet from you /var/log/syslog file...
0
 
jlevieCommented:
Hmm, everyone has been focused on the exact guestion (including myself) and has ingnored the more basic issue.

While it would be nice to have a log of of all login attempts that included the IP, there can be other ways for an attacker to penetrate a Unix system. You might want to take a look at http://www.sans.org/newlook/projects/bastille_linux.htm and at the Security HowTo.
0
 
kittlejAuthor Commented:
Thanks to all who helped in this question, I'm awarding the points to jlevie because he had the most useful information, but I wish to accredit all of you who participated, as you have each helped in your own way.  Thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 4
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now