Thursday, November 15, 2007

Log Repeated Login Failures

You can log repeated login failures with the /var/adm/loginlog file. This file is not created by default, so you will have to create it. Most systems will allow 5 login retries before logging the event to this file. By the way, you can modify the max retries variable in the /etc/default/login file.

# cd /var/adm
# touch loginlog; chmod 700 loginlog; chown root:sys loginlog
# ls -l loginlog
-rwx------ 1 root sys 0 Nov 16 02:33 loginlog

Attempt to login

login: user1
Password:
Login incorrect
login: user1
Password:
Login incorrect
login: user1
Password:
Login incorrect
login: user1
Password:
Login incorrect
login: user1
Password:
Login incorrect

Connection to host lost.
###################

Now view the contents of the /var/adm/loginlog file.
# cd /var/adm
# more loginlog
user1:/dev/pts/2:Fri Nov 16 02:37:01 2007
user1:/dev/pts/2:Fri Nov 16 02:37:09 2007
user1:/dev/pts/2:Fri Nov 16 02:37:16 2007
user1:/dev/pts/2:Fri Nov 16 02:37:23 2007
user1:/dev/pts/2:Fri Nov 16 02:37:31 2007

No comments: