SUMMARY: log login failures

From: Bill Nolf - Logicon (nolfb@jcdbs.2000.disa.mil)
Date: Fri Oct 01 1993 - 03:07:08 CDT


Original Question:

> How do I go about logging Login failures? I need to be able to log
> login failures to separate file. You should be able to do it thru
> syslog.conf but I can't seem to get the right combination. Any
> help would be appreciated.

Summary:

In /etc/syslog.conf

auth.notice ifdef(`LOGHOST', /var/log/authlog, @loghost)

Then I used the following script to mail a copy of the authlog to root. (from
djiracek@jupiter.fnbc.com (Dan Jiracek))

#! /bin/sh
# This script is kicked off by cron at ________

# It will mail /usr/adm/badlogins and /usr/adm/messages
# to SystemAdmins.

# Then it will archive the files and clear out the
# existing file.

badlogin_file='/usr/adm/badlogins'
message_file='/usr/adm/messages'
echo "*******************/usr/adm/badlogins*********************" | cat - $badlogin_file \
| /usr/ucb/Mail -s "badlogins - `date`" SystemAdmins

echo "*******************/usr/adm/messages*********************" | cat - $message_file \
| grep -v caveman | /usr/ucb/Mail -s "messages - `date`" SystemAdmins

cp ${badlogin_file}.4 ${badlogin_file}.5
cp ${badlogin_file}.3 ${badlogin_file}.4
cp ${badlogin_file}.2 ${badlogin_file}.3
cp ${badlogin_file}.1 ${badlogin_file}.2
cp ${badlogin_file} ${badlogin_file}.1

cp ${message_file}.4 ${message_file}.5
cp ${message_file}.3 ${message_file}.4
cp ${message_file}.2 ${message_file}.3

cp ${message_file}.1 ${message_file}.2
cp ${message_file} ${message_file}.1

/bin/cleanup /usr/adm/badlogins
/bin/cleanup /usr/adm/messages

#Send a kill signal to the syslod.
kill -HUP `cat /etc/syslog.pid
---------------------------------------------------------------------
BTW here is /bin/cleanup:
#! /bin/sh
# this script will clean up a log file by clearing it out
cat /dev/null > $1
---------------------------------------------------------
Other Suggestions:

You can also use Swatch to monitor login attempts. (Not Done)

There was a article (6-8 months ago) in Unix Review or Unix World
on syslog, unfortunately, I haven't been able to locate the article.

Use ARM from Sun.

Thanks:

rls02@philip (Ronald Stamp)
djiracek@jupiter.fnbc.com (Dan Jiracek)
brian@arthur.melpar.esys.com (Brian Decker)
oliver@ast.saic.com (Thomas W Oliver



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:08:19 CDT