Invalid login attempts

agasamapetilon · January 7, 2009, 1:33pm

How can I see the number of invalid login attempts of a user?
Thanks,

jyoung · January 7, 2009, 3:37pm

The lastlog file in /etc/security contains that information. You should be able to view it if you have root access and you could also write a script to search it. Good Luck.

agasamapetilon · January 7, 2009, 3:47pm

Thanks for the response jyoung. I tried to logoff and login again with my personal user, not root and entered an invalid password twice but when looking at /etc/security/lastlog as root I found the times I logged incorrectly are not counted:

personal-user:
time_last_login = 1231347962
tty_last_login = /dev/pts/2
unsuccessful_login_count = 0
time_last_unsuccessful_login = 1231347943
tty_last_unsuccessful_login = /dev/pts/2

How can I see those unsuccessful attempts?

indiana_tas · January 7, 2009, 4:17pm

What you want to do is run the following command to view the /etc/security/failedlogin file:

who /etc/security/failedlogin

It may run for a while if your log file is large. I'm not sure how to tell it to only process a specific number of lines. You can pipe it to tail to view the end if that is all you want to look at, but the process is still going to run, eating CPU cycles until it gets to the end of the file. Maybe someone knows how to run this more efficiently.

system · January 7, 2009, 4:38pm

You can translate the entire /etc/security/failedlogin file with the following command:

/usr/sbin/acct/fwtmp < /etc/security/failedlogin > /tmp/newfile.txt

agasamapetilon · January 7, 2009, 4:49pm

This is what I need, thanks mates. It shows up the username, TTY, node and date when the user failed to login to the system but I tought it would be easier to know this without having to translate it into ASCII code. Or there is one?

agasamapetilon · January 7, 2009, 4:56pm

indiana_tas, this is great in fact but using tail brings to the terminal some coded info so I prefer as it is more simple to use who. Piped I could do this:

# who /etc/security/failedlogin | tail -1

Which shows just the very last line of the file.

jyoung · January 8, 2009, 7:56am

Hi agasamapetilon,
I noticed the same thing. I tried two logins that failed and the value still shows zero although when I am successful it displays my last unsuccessful login which comes from the failedlogin file. Maybe someone with more knowledge on this could explain.

system · January 8, 2009, 2:51pm

The number of unsuccessful logins you get from the lsuser command is used for disabling account access (the loginretries value). When you log in successfully, it is reset to 0.

The fwtmp command I posted earlier is really not that difficult and gives you some good information. Further, you can use that command regularly via cron (or a job scheduler like autosys) to archive failed logins and keep the file small for quick viewing.

agasamapetilon · January 8, 2009, 11:06pm

Padow, thanks for the response. This makes it a lot more clear for everyone here. Surely it helps a lot!