Solved

Linux Logging - User Login Attempts

Posted on 2000-03-03
11
435 Views
Last Modified: 2013-12-16
Hello,
  Over the last several days, I have had a hacker breach security on a linux box and use it as a mail relay.  I found out how he did it, the news account was left open for all to see.  What I was wanting to know is this:

Does linux log all login attempts? Where?

When it logs these attempts, does it log the IP address that the attempt was coming from?  Where?

If not.. how can I make it do these things.


Thanks!

0
Comment
Question by:kittlej
  • 4
  • 3
  • 2
  • +2
11 Comments
 
LVL 3

Expert Comment

by:jyu_88
ID: 2580592
use the command 'last' to check users login history (telnet, ftp, ssh, etc.) since last reboot. It is parsing /var/log/wtmp.
jyu      ftp          bac.bogus.com Thu Mar  2 18:30 - 18:31  (00:00)    
jyu      ftp          bac.bogus.com Thu Mar  2 18:30 - 18:30  (00:00)    
jyu      ftp          bac.bogus.com Thu Mar  2 18:28 - 18:29  (00:01)    
jyu      ftp          bogus.bogus.co Thu Mar  2 18:07 - 18:07  (00:00)    
jyu      pts/1        bogus.remote.com. Thu Mar  2 17:45 - 17:48  (00:02)    
jyu      pts/0        server1.bogus.com Thu Mar  2 16:53 - 18:38  (01:44)    
..................morehere.............
0
 
LVL 1

Author Comment

by:kittlej
ID: 2580706
What about failed attempts?
0
 
LVL 1

Author Comment

by:kittlej
ID: 2580746
What about failed attempts?
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 40

Expert Comment

by:jlevie
ID: 2580875
Syslog logs all login access, successful and failed attempts in the /var/log/message* files. Failed sessions show the username tried and the reason for failure. Since the syslog data goes back further in time, it's a better way of lookin at access, but it won't give you the remote IP.
0
 
LVL 1

Author Comment

by:kittlej
ID: 2580890
But is there a way that I can set it up so that every login attempt - successful or failed - is logged to a file with the ip address of the user?
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2581046
I don't think so with native facilities, but I'll see what I can find for you.
0
 
LVL 2

Expert Comment

by:bernardh
ID: 2581101
i'm not sure if linux has some kind of utility like iptrace/ipreport of aix but  there is a linux utility from
www.bandmin.org called bandmin that i believe does ip tracing. check it out.
0
 
LVL 2

Expert Comment

by:bernardh
ID: 2582147
by the way, have you tried the lastlog command? it shows what username was used, the port number as well as the hostname of the culprit, try it.
0
 
LVL 8

Expert Comment

by:stefanx
ID: 2582761
For telnet attempts, just grep telnet from you /var/log/syslog file...
0
 
LVL 40

Accepted Solution

by:
jlevie earned 50 total points
ID: 2583250
Hmm, everyone has been focused on the exact guestion (including myself) and has ingnored the more basic issue.

While it would be nice to have a log of of all login attempts that included the IP, there can be other ways for an attacker to penetrate a Unix system. You might want to take a look at http://www.sans.org/newlook/projects/bastille_linux.htm and at the Security HowTo.
0
 
LVL 1

Author Comment

by:kittlej
ID: 2587286
Thanks to all who helped in this question, I'm awarding the points to jlevie because he had the most useful information, but I wish to accredit all of you who participated, as you have each helped in your own way.  Thanks!
0

Featured Post

Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is the error message I got (CODE) Error caused by incompatible libmp3lame 3.98-2 with ffmpeg I've googled this error message and found out sometimes it attaches this note "can be treated with downgrade libmp3lame to version 3.97 or 3.98" …
Over the last ten+ years I have seen Linux configuration tools come and go. In the early days there was the tried-and-true, all-powerful linuxconf that many thought would remain the one and only Linux configuration tool until the end of times. Well,…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question