• VMware

    Learn about VMware virtualization for its products like vsphere ESX and ESXi, vCenter Server, VMware View, VMware P2V and many more

  • Linux

    Step by step configuration tutorials for many of the Linux services like DNS, DHCP, FTP, Samba4 etc including many tips and tricks in Red Hat Linux.

  • Database

    Learn installation and configuration of databases like Oracle, My SQL, Postgresql, etc including many other related tutorials in Linux.

  • Life always offers you a second chance ... Its called tomorrow !!!

    Monday, May 19, 2014

    How to track all the successful and failed login attempts by users in Linux

    There are various commands which can be used for this purpose. I will try to briefly explain each of them with examples

    Method 1

    All the login attempts made to your system are stored in /var/log/secure. So you can manually open the file with any reader and look out for the user access and attemp result.
    # less /var/log/secure | grep deepak
    May 18 14:56:17 lab1 unix_chkpwd[17490]: password check failed for user (deepak)
    May 18 14:56:17 lab1 sshd[17489]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=server1.example.com  user=deepak
    May 18 14:56:18 lab1 sshd[17481]: Accepted keyboard-interactive/pam for deepak from 192.168.0.25 port 60735 ssh2
    May 18 14:56:18 lab1 sshd[17481]: pam_unix(sshd:session): session opened for user deepak by (uid=0)
    May 18 16:50:04 lab1 unix_chkpwd[19626]: password check failed for user (deepak)
    May 18 16:50:04 lab1 sudo: pam_unix(sudo:auth): authentication failure; logname=deepak uid=0 euid=0 tty=/dev/pts/12 ruser= rhost=  user=deepak
    May 18 16:50:04 lab1 sudo: deepak : TTY=pts/12 ; PWD=/home/deepak ; USER=root ; COMMAND=/bin/su -
    May 18 16:50:04 lab1 su: pam_unix(su-l:session): session opened for user root by deepak(uid=0)

    Method 2

    To collect authentication report for all the attempts made to your system recently.
    # aureport -au -i
    Authentication Report
    ============================================
    # date time acct host term exe success event
    ============================================
    1. 05/16/14 10:12:54 rahul ? /dev/pts/116  /usr/bin/sudo  yes 6946469
    2. 05/16/14 12:09:19 abdul ? /dev/pts/117  /usr/bin/sudo  yes 6947443
    3. 05/16/14 12:16:11 abdul ? /dev/pts/102  /usr/bin/sudo  yes 6947512
    4. 05/16/14 13:00:10 rahul ? /dev/pts/116  /usr/bin/sudo  yes 6947866
    5. 05/16/14 13:22:15 rahul 10.10.10.26 ssh /usr/sbin/sshd yes 6948054
    6. 05/16/14 13:22:36 rahul ? /dev/pts/140  /usr/bin/sudo  yes 6948062

    Collect success reports
    # aureport -au -i --success

    Authentication Report
    ============================================
    # date time acct host term exe success event
    ============================================
    1. 05/16/14 10:12:54 rahul ? /dev/pts/116 /usr/bin/sudo yes 6946469
    2. 05/16/14 12:09:19 abdul ? /dev/pts/117 /usr/bin/sudo yes 6947443
    3. 05/16/14 12:16:11 abdul ? /dev/pts/102 /usr/bin/sudo yes 6947512
    4. 05/16/14 13:00:10 rahul ? /dev/pts/116 /usr/bin/sudo yes 6947866

    Collect failed reports
    # aureport -au -i --failed

    Authentication Report
    ============================================
    # date time acct host term exe success event
    ============================================
    1. 05/16/14 15:42:11 deepak ? /dev/pts/124
    /usr/bin/sudo  no 6949322
    2. 05/17/14 12:02:53 amar 10.10.10.26 ssh  /usr/sbin/sshd no 6959885
    3. 05/18/14 01:21:06 abhay ? /dev/pts/12   /usr/bin/sudo  no 6967954
    4. 05/18/14 01:21:06 abhay ? /dev/pts/12   /usr/bin/sudo  no 6967955
    5. 05/18/14 01:21:06 abhay ? /dev/pts/12   /usr/bin/sudo  no 6967956

    Login Failures
    # aureport -l --failed

    Login Report
    ============================================
    # date time auid host term exe success event
    ============================================
    1. 05/16/14 21:50:22 priya  10.191.29.164  sshd /usr/sbin/sshd no 6952386
    2. 05/17/14 12:02:09 amar   10.10.10.26    sshd
    /usr/sbin/sshd no 6959875
    3. 05/17/14 12:02:48 amar   10.10.10.26    sshd /usr/sbin/sshd no 6959884
    4. 05/17/14 12:02:53 amar   10.10.10.26    sshd /usr/sbin/sshd no 6959886
    5. 05/17/14 19:46:32 suzane 172.18.249.112 sshd /usr/sbin/sshd no 6964909
    6. 05/17/14 19:46:43 suzane 172.18.249.112 sshd /usr/sbin/sshd no 6964987


    Successful Logins
    # aureport -l --success

    Login Report
    ============================================
    # date time auid host term exe success event
    ============================================
    1. 05/16/14 13:22:15 42771 10.10.10.26         /dev/pts/140 /usr/sbin/sshd yes 6948060
    2. 05/16/14 21:37:10 34566 server1.example.com /dev/pts/124 /usr/sbin/sshd yes 6952264
    3. 05/16/14 21:50:28 48467 server1.example.com /dev/pts/141 /usr/sbin/sshd yes 6952397
    4. 05/16/14 23:33:18 42572 server1.example.com /dev/pts/148 /usr/sbin/sshd yes 6953354
    5. 05/17/14 07:05:56 42572 server1.example.com /dev/pts/149 /usr/sbin/sshd yes 6957230
    6. 05/17/14 07:12:39 42572 server1.example.com /dev/pts/149 /usr/sbin/sshd yes 6957294

    Login summary report
    # aureport -l --success --summary -i

    Success Login Summary Report
    ============================
    total  auid
    ============================
    4  ankit
    4  anurag
    3  amit
    2  suzane
    1  prateek
    1  deepak
    1  priya
    1  rashmi

    Limitation with audit report
    It reads /var/log/audit/audit.log for generating all the reports. But in most cases logrotate is configured for all the log files due to which the log file gets renewed after every regular interval of time and the report generated will be only as per the date log file started storing log files.

    Method 3

    To collect all the records of bad login attempts by a user
    # lastb deepak
    deepak ssh:notty    10.10.10.26 Fri Apr  4 04:38 - 04:38  (00:00)
    deepak ssh:notty    10.10.10.23 Sun Mar 16 21:20 - 21:20  (00:00)
    deepak ssh:notty    10.10.10.23 Sun Mar 16 21:20 - 21:20  (00:00)
    deepak ssh:notty    10.10.10.23 Sun Mar 16 21:19 - 21:19  (00:00)
    deepak ssh:notty    10.10.10.23 Sun Mar 16 21:19 - 21:19  (00:00)
    deepak ssh:notty    10.10.10.23 Tue Jan 21 00:48 - 00:48  (00:00)
    deepak ssh:notty    10.10.10.24 Sun Jan 19 22:56 - 22:56  (00:00)
    deepak ssh:notty    10.10.10.24 Sun Jan 19 22:41 - 22:41  (00:00)
    deepak ssh:notty    10.10.10.24 Sun Jan 19 22:41 - 22:41  (00:00)
    deepak ssh:notty    10.10.10.26 Sun Jan 19 22:37 - 22:37  (00:00)
    deepak ssh:notty    10.10.10.24 Sun Jan 19 22:21 - 22:21  (00:00)

    btmp begins Fri Feb 19 10:22:42 2010

    This will contain the records from the time logs were stored inside /var/log/btmp

    NOTE: Using lastb without any argument will show you the long list of all the users with bad login attempts

    Related Articles
    Using audit in Linux to track system changes and unauthorized access
    How to check last login time for users in Linux
    How to change default login shell permanently in linux


    Follow the below links for more tutorials

    Step by Step Linux Boot Process Explained In Detail
    RAID levels 0, 1, 2, 3, 4, 5, 6, 0+1, 1+0 features explained in detail
    Tutorial for Monitoring Tools SAR and KSAR with examples in Linux
    How to secure Apache web server in Linux using password (.htaccess)
    How to register Red Hat Linux with RHN (Red Hat Network )
    15 tips to enhance security of your Linux machine
    How does a DNS query works when you type a URL on your browser?
    How to create password less ssh connection for multiple non-root users
    How to create user without useradd command in Linux
    How to give normal user root privileges using sudo in Linux/Unix
    How to do Ethernet/NIC bonding/teaming in Red Hat Linux
    How to install/uninstall/upgrade rpm package with/without dependencies
    Why is Linux more secure than windows and any other OS
    What is the difference between "su" and "su -" in Linux?
    What is swappiness and how do we change its value?

    0 comments:

    Post a Comment