?
Solved

loginlog and authlog does not capture the failed login attempts using ssh and CDE login!

Posted on 2006-05-05
5
Medium Priority
?
2,361 Views
Last Modified: 2013-12-27
I had created /var/adm/loginlog and /var/log/authlog, with permission set to 600, and group is sys. Using CDE or ssh to login is not captured by loginlog, or authlog. However using telnet failed attempts are recorded in both logs. I need to configure the system in such away that ssh, and CDE will record to loginlog after 3 bad login attempts, and record every failed attempts to authlog. I already configured
retries=3
SYSLOG_FAILED_LOGINS=0. Any ideas?
0
Comment
Question by:as618
3 Comments
 
LVL 34

Accepted Solution

by:
PsiCop earned 672 total points
ID: 16617121
That's because SSH does not use the mechanism you're configuring.

SSH logs to either its own file, or to the FACILITY specified in the sshd_config file. I generally point mine to one of the LOCAL facilities. You can configure this at compile-time, or using directives in sshd_config.
0
 
LVL 27

Assisted Solution

by:Nopius
Nopius earned 664 total points
ID: 16619930
/var/adm/loginlog is used by /bin/login program only. This file is checked and filled from /bin/login.

Any authentication program that uses standard '/bin/login'  program will log to /var/adm/loginlog.
- in.telnetd uses '/bin/login' for authentication.
- sshd doesn't, but it can if you will compile openssh instead of standard Solaris shipped version and enable option 'UseLogin yes' in sshd_config
- CDE doesn't and cannot be tuned to use 'login' program for authentiation.

Almost any authentication program uses syslog to log failed attempts.
man syslog.conf
for details. Something about syslog facilities has already been said by PsiCop.
You should tune your syslogd.conf to log all messages (up to debug level) to some file and then grep this file to login failures.

0
 
LVL 38

Assisted Solution

by:yuzh
yuzh earned 664 total points
ID: 16627292
Edit /etc/default/login file

      # Allow 3 login attempts
              RETRIES=3      

       #note "RETRIES" - all uppercase.

When a user failed to type in his/her password, it log to /var/adm/loginlog
you need to make sure  /var/adm/loginlog exist. eg

     touch  /var/adm/loginlog
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In tuning file systems on the Solaris Operating System, changing some parameters of a file system usually destroys the data on it. For instance, changing the cache segment block size in the volume of a T3 requires that you delete the existing volu…
I have been running these systems for a few years now and I am just very happy with them.   I just wanted to share the manual that I have created for upgrades and other things.  Oooh yes! FreeBSD makes me happy (as a server), no maintenance and I al…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.
Suggested Courses

579 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question