Link to home
Start Free TrialLog in
Avatar of mafendee
mafendee

asked on

how to track the user telnet.

Dear Solutions,

I am working with Solaris, which sometimes using
a general WS which any users can log into.
The question is:

I am working on Machine A(my own machine) and login to Machine B which any one can use this in order to login to Machine C.
*How to find out who login to Machine C*

In Machine C:
> ps -ef | grep 3012
sun  3014  3012  0 14:41:01 pts/0    0:00 -sh
    root  3012   158  0 14:41:01 ?        0:00 in.rlogind

(As i understand from output above, it tells that a user has rlogin into machine C). So i do 'who'

> who
root       console      Dec  6 14:50
sun   pts/0        Dec  6 14:50    (172.30.0.127)

Then i do 'finger'

# finger @172.30.0.127

[172.30.0.127]
Login       Name               TTY         Idle    When    Where
sun    Sun User            pts/0         6d Sat 15:15  sun288
midfrcl  Frank Class          pts/1       4:03 Tue 15:22  sun297          
sun    Sun User            pts/6         1d Tue 09:35  sun295
sun    Sun User            pts/9          1 Thu 12:07  sun295
sun    Sun User            pts/8       1:32 Thu 16:49  sun295

Here I know that this user login from machine B (172.30.0.127), but I dont know which one because some of them are originally from other machine e.g. machine A and they are using the same username.

1) is it possible to figure this user out from machine C without accessing Machine B?
2) if i need to login machine B, how to solve this? How to map e.g. the process from machine B to the process in machine C.

I have check PID/PPID on both B and C, they doesnt seems to me related.

regards.
Avatar of chris_calabrese
chris_calabrese

You can't do this with telnet or rlogin.  If you use SSH (www.openssh.com), you can have it log more complete information about who's logging in.
ASKER CERTIFIED SOLUTION
Avatar of mrn060900
mrn060900

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Do as Mike suggests - use the last command.

This reads the wtmp file (poss in /var/adm), and tracks every log on and usually returns the exact IP Address where the session started from.

Also, you can use it on certain usernames and get it to return x number of results:

last -10 root

This would return you the last 10 times that root successfully logged on, and where from.

Regards,

Neil
Avatar of mafendee

ASKER

What i did was
> last | grep still

# last | grep still
sun  pts/1        172.30.0.127     Fri Feb  1 13:51   still logged in
sun  pts/0        172.30.0.127     Fri Feb  1 10:23   still logged in

but the output only shows the last machine (172.30.0.127) where i telnet from into this machine and not the original machine (sun88).
maf:

The only thing I can suggest would be to either user box C to remotely perform the operation on box b if correct hosts files are set up:

rsh boxb ; who | grep "name"

OR

rsh boxb ; last "name"

Alternatively, use some ftp command or rcp to copy the wtmp file accross from box b to box c, then use:

last -f remote_wtmp_file

Just some thoughts :-)

Neil
Don't forget that any use of rsh/rlogin/ftp/telnet will compromise the security of your network and make any information on who logged in from where suspicious...
chris - that depends on how it is set up, and what level of security is applied.  All things are trackable any way if you know where to look right :-)

N E way, I can't think of a better solution for mafendee at the moment - my brain hurts, it's Monday aarrgghh!

Neil
I strongly disagree.  Unless you're using cross-over cables between systems or you've got security people admin-ing your routers and switches, all bets are off once you pass passwords in clear text.
maf:

chris does have a point, however this is true in ALL areas of networking any way, and wouldn't just suddenly be a problem upon implementing what I have suggested - for example, almost any workstation on the network has the capability of tracking network packets across servers using software (Lan Sleuth as just one example).

Your question asks, using Solaris, how can I track the user telnet across machines.  As far as I can see, the ways that I have suggested would allow you to do this, as long as the access to rsh/rlogin/telnet etc were both carefully set up, and monitored.  In reality this 'should' be done as amater of course.

Regards,

Neil

maf:

A further thought:

If you use as I suggest in one of my postings, the ftp or rcp method, there isn't the need to transfer passwords around in any form - simply grab the wtmp file off of the remote machine, and use the 'last' command on the file locally.

Neil
maf:

Have you had any further thoughts on our suggestions?  Is there anything else we can help with?

Neil :)
what i did was (like Neil said), from machine C i did rsh to machine B and look for the terminal which is still open.
# rsh -l mafendee 172.30.0.137 last | grep still
sun     pts/6        sun342 Thu Feb 14 08:47   still logged in
core  pts/2        sun349 Wed Feb 13 14:27   still logged in
sun     pts/4        sun348 Tue Feb 12 09:22   still logged in
sun     pts/3        sun342 Fri Feb  8 14:28   still logged in
sun     pts/1        sun342 Fri Feb  8 13:38   still logged in
root      console                       Fri Feb  8 11:03   still logged in

#  rsh -l spett 172.16.0.137 w
core pts/2        Wed 2pm 18:12                rlogin -l core SunC
sun    pts/5        Wed 2pm 18:15                rlogin -l core SunC
sun    pts/6         8:47am                      rlogin SunC -l core

Here I can see who is still logged on and who is doing what by comparing the "pts/x". The problem here is that,
1. I need a USERNAME to do "rsh" to machine B otherwise there is no way to perform "last" on that machine or even to trasfer wtmp file.
2. If there is another machine beyond Machine A, then again I have to transfer a wtmp file or so.
If i am right, there is no way to track the origin of the the user without not accessing(at least need username) the machine where the user is hopping from.