mafendee
asked on
how to track the user telnet.
Dear Solutions,
I am working with Solaris, which sometimes using
a general WS which any users can log into.
The question is:
I am working on Machine A(my own machine) and login to Machine B which any one can use this in order to login to Machine C.
*How to find out who login to Machine C*
In Machine C:
> ps -ef | grep 3012
sun 3014 3012 0 14:41:01 pts/0 0:00 -sh
root 3012 158 0 14:41:01 ? 0:00 in.rlogind
(As i understand from output above, it tells that a user has rlogin into machine C). So i do 'who'
> who
root console Dec 6 14:50
sun pts/0 Dec 6 14:50 (172.30.0.127)
Then i do 'finger'
# finger @172.30.0.127
[172.30.0.127]
Login Name TTY Idle When Where
sun Sun User pts/0 6d Sat 15:15 sun288
midfrcl Frank Class pts/1 4:03 Tue 15:22 sun297
sun Sun User pts/6 1d Tue 09:35 sun295
sun Sun User pts/9 1 Thu 12:07 sun295
sun Sun User pts/8 1:32 Thu 16:49 sun295
Here I know that this user login from machine B (172.30.0.127), but I dont know which one because some of them are originally from other machine e.g. machine A and they are using the same username.
1) is it possible to figure this user out from machine C without accessing Machine B?
2) if i need to login machine B, how to solve this? How to map e.g. the process from machine B to the process in machine C.
I have check PID/PPID on both B and C, they doesnt seems to me related.
regards.
I am working with Solaris, which sometimes using
a general WS which any users can log into.
The question is:
I am working on Machine A(my own machine) and login to Machine B which any one can use this in order to login to Machine C.
*How to find out who login to Machine C*
In Machine C:
> ps -ef | grep 3012
sun 3014 3012 0 14:41:01 pts/0 0:00 -sh
root 3012 158 0 14:41:01 ? 0:00 in.rlogind
(As i understand from output above, it tells that a user has rlogin into machine C). So i do 'who'
> who
root console Dec 6 14:50
sun pts/0 Dec 6 14:50 (172.30.0.127)
Then i do 'finger'
# finger @172.30.0.127
[172.30.0.127]
Login Name TTY Idle When Where
sun Sun User pts/0 6d Sat 15:15 sun288
midfrcl Frank Class pts/1 4:03 Tue 15:22 sun297
sun Sun User pts/6 1d Tue 09:35 sun295
sun Sun User pts/9 1 Thu 12:07 sun295
sun Sun User pts/8 1:32 Thu 16:49 sun295
Here I know that this user login from machine B (172.30.0.127), but I dont know which one because some of them are originally from other machine e.g. machine A and they are using the same username.
1) is it possible to figure this user out from machine C without accessing Machine B?
2) if i need to login machine B, how to solve this? How to map e.g. the process from machine B to the process in machine C.
I have check PID/PPID on both B and C, they doesnt seems to me related.
regards.
You can't do this with telnet or rlogin. If you use SSH (www.openssh.com), you can have it log more complete information about who's logging in.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Do as Mike suggests - use the last command.
This reads the wtmp file (poss in /var/adm), and tracks every log on and usually returns the exact IP Address where the session started from.
Also, you can use it on certain usernames and get it to return x number of results:
last -10 root
This would return you the last 10 times that root successfully logged on, and where from.
Regards,
Neil
This reads the wtmp file (poss in /var/adm), and tracks every log on and usually returns the exact IP Address where the session started from.
Also, you can use it on certain usernames and get it to return x number of results:
last -10 root
This would return you the last 10 times that root successfully logged on, and where from.
Regards,
Neil
ASKER
What i did was
> last | grep still
# last | grep still
sun pts/1 172.30.0.127 Fri Feb 1 13:51 still logged in
sun pts/0 172.30.0.127 Fri Feb 1 10:23 still logged in
but the output only shows the last machine (172.30.0.127) where i telnet from into this machine and not the original machine (sun88).
> last | grep still
# last | grep still
sun pts/1 172.30.0.127 Fri Feb 1 13:51 still logged in
sun pts/0 172.30.0.127 Fri Feb 1 10:23 still logged in
but the output only shows the last machine (172.30.0.127) where i telnet from into this machine and not the original machine (sun88).
maf:
The only thing I can suggest would be to either user box C to remotely perform the operation on box b if correct hosts files are set up:
rsh boxb ; who | grep "name"
OR
rsh boxb ; last "name"
Alternatively, use some ftp command or rcp to copy the wtmp file accross from box b to box c, then use:
last -f remote_wtmp_file
Just some thoughts :-)
Neil
The only thing I can suggest would be to either user box C to remotely perform the operation on box b if correct hosts files are set up:
rsh boxb ; who | grep "name"
OR
rsh boxb ; last "name"
Alternatively, use some ftp command or rcp to copy the wtmp file accross from box b to box c, then use:
last -f remote_wtmp_file
Just some thoughts :-)
Neil
Don't forget that any use of rsh/rlogin/ftp/telnet will compromise the security of your network and make any information on who logged in from where suspicious...
chris - that depends on how it is set up, and what level of security is applied. All things are trackable any way if you know where to look right :-)
N E way, I can't think of a better solution for mafendee at the moment - my brain hurts, it's Monday aarrgghh!
Neil
N E way, I can't think of a better solution for mafendee at the moment - my brain hurts, it's Monday aarrgghh!
Neil
I strongly disagree. Unless you're using cross-over cables between systems or you've got security people admin-ing your routers and switches, all bets are off once you pass passwords in clear text.
maf:
chris does have a point, however this is true in ALL areas of networking any way, and wouldn't just suddenly be a problem upon implementing what I have suggested - for example, almost any workstation on the network has the capability of tracking network packets across servers using software (Lan Sleuth as just one example).
Your question asks, using Solaris, how can I track the user telnet across machines. As far as I can see, the ways that I have suggested would allow you to do this, as long as the access to rsh/rlogin/telnet etc were both carefully set up, and monitored. In reality this 'should' be done as amater of course.
Regards,
Neil
chris does have a point, however this is true in ALL areas of networking any way, and wouldn't just suddenly be a problem upon implementing what I have suggested - for example, almost any workstation on the network has the capability of tracking network packets across servers using software (Lan Sleuth as just one example).
Your question asks, using Solaris, how can I track the user telnet across machines. As far as I can see, the ways that I have suggested would allow you to do this, as long as the access to rsh/rlogin/telnet etc were both carefully set up, and monitored. In reality this 'should' be done as amater of course.
Regards,
Neil
maf:
A further thought:
If you use as I suggest in one of my postings, the ftp or rcp method, there isn't the need to transfer passwords around in any form - simply grab the wtmp file off of the remote machine, and use the 'last' command on the file locally.
Neil
A further thought:
If you use as I suggest in one of my postings, the ftp or rcp method, there isn't the need to transfer passwords around in any form - simply grab the wtmp file off of the remote machine, and use the 'last' command on the file locally.
Neil
maf:
Have you had any further thoughts on our suggestions? Is there anything else we can help with?
Neil :)
Have you had any further thoughts on our suggestions? Is there anything else we can help with?
Neil :)
ASKER
what i did was (like Neil said), from machine C i did rsh to machine B and look for the terminal which is still open.
# rsh -l mafendee 172.30.0.137 last | grep still
sun pts/6 sun342 Thu Feb 14 08:47 still logged in
core pts/2 sun349 Wed Feb 13 14:27 still logged in
sun pts/4 sun348 Tue Feb 12 09:22 still logged in
sun pts/3 sun342 Fri Feb 8 14:28 still logged in
sun pts/1 sun342 Fri Feb 8 13:38 still logged in
root console Fri Feb 8 11:03 still logged in
# rsh -l spett 172.16.0.137 w
core pts/2 Wed 2pm 18:12 rlogin -l core SunC
sun pts/5 Wed 2pm 18:15 rlogin -l core SunC
sun pts/6 8:47am rlogin SunC -l core
Here I can see who is still logged on and who is doing what by comparing the "pts/x". The problem here is that,
1. I need a USERNAME to do "rsh" to machine B otherwise there is no way to perform "last" on that machine or even to trasfer wtmp file.
2. If there is another machine beyond Machine A, then again I have to transfer a wtmp file or so.
If i am right, there is no way to track the origin of the the user without not accessing(at least need username) the machine where the user is hopping from.
# rsh -l mafendee 172.30.0.137 last | grep still
sun pts/6 sun342 Thu Feb 14 08:47 still logged in
core pts/2 sun349 Wed Feb 13 14:27 still logged in
sun pts/4 sun348 Tue Feb 12 09:22 still logged in
sun pts/3 sun342 Fri Feb 8 14:28 still logged in
sun pts/1 sun342 Fri Feb 8 13:38 still logged in
root console Fri Feb 8 11:03 still logged in
# rsh -l spett 172.16.0.137 w
core pts/2 Wed 2pm 18:12 rlogin -l core SunC
sun pts/5 Wed 2pm 18:15 rlogin -l core SunC
sun pts/6 8:47am rlogin SunC -l core
Here I can see who is still logged on and who is doing what by comparing the "pts/x". The problem here is that,
1. I need a USERNAME to do "rsh" to machine B otherwise there is no way to perform "last" on that machine or even to trasfer wtmp file.
2. If there is another machine beyond Machine A, then again I have to transfer a wtmp file or so.
If i am right, there is no way to track the origin of the the user without not accessing(at least need username) the machine where the user is hopping from.