/etc/security/failedlogin - Failed Login Report 2

[AIXtexas]

I’m looking for a way to search the /etc/security/failedlogin file for the current days date and then get a list of the failed logins along with the number of times the login failed. The way I’m doing it just isn’t working:

#/bin/ksh

date > /tmp/date.out
CURRENT_DATE=`cut -c5,6,7,8,9,10,11 /tmp/date.out`

who /etc/security/failedlogin | grep "$CURRENT_DATE" | sort > /tmp/failedlogins.out

uniq –c /tmp/failedlogins.out

Thanks.

Shane

 

[Salem]

Can you paste some lines from "who /etc/security/failedlogin" ?

--

 

[SamBones]

What is the file "[tt]/etc/security/failedlogin[/tt]"? None of my systems have that file. I do have a "[tt]/var/adm/loginlog[/tt]" that records failed login attempts. That file looks like...

ctest:/dev/pts/2:Mon Aug 21 14:18:48 2006
ctest:/dev/pts/2:Mon Aug 21 14:18:56 2006
ctest:/dev/pts/2:Mon Aug 21 14:19:03 2006
ctest:/dev/pts/2:Mon Aug 21 14:19:11 2006
ctest:/dev/pts/2:Mon Aug 21 14:19:19 2006

So this code would report counts of how many login failures for today...

#!/bin/ksh

print "Failed login counts for $(date)"

grep "$(date '+%a %b %e')" /var/adm/loginlog | grep "$(date '+%Y')$" | cut -d: -f1 | sort | uniq -c

 

[p5wizard]

failedlogin is a binary file, you can convert it to a textfile equivalent to do your grepping/counting and stuff like so:

/usr/sbin/acct/fwtmp </etc/security/failedlogin >/tmp/fl.txt

You get a full date/time stamp instead of just date,month and time, so you could go sth. like this (untested)

/usr/sbin/acct/fwtmp </etc/security/failedlogin >/tmp/fl.txt 

DATE=$(date +'%h %d')
YEAR=$(date +'%Y')
grep "${DATE} .* ${YEAR}" /tmp/fl.txt|\
 awk '{print $1}'|\
 sort|\
 uniq -c

rm /tmp/fl.txt

HTH,

p5wizard

 

[AIXtexas]

I found a way to do it without echoing the date or IP address. Because, when I leave the IP address in, uniq does not work correctly.

#!/bin/ksh

date > /tmp/date.out

CURRENT_DATE=`cut -c5,6,7,8,9,10,11 /tmp/date.out`

who /etc/security/failedlogin | grep "$CURRENT_DATE" | sort | awk '{ print $1 }' | uniq -c | sort -rn

###End

It produces output like below (only the failed login count and the user):

3 tst
1 root
1 UNKNOWN_

Shane

 

[mrn]

you could just use

who -a /etc/security/failedlogin

the output is in date order (Doesn't show ssh failures)

Mike

"Whenever I dwell for any length of time on my own shortcomings, they gradually begin to seem mild, harmless, rather engaging little things, not at all like the staring defects in other people's characters."

 

[AIXtexas]

Thanks, Mike, but it dosent give a failed login count by user:

tech3:/home/root (3311)#who -a /etc/security/failedlogin
root + pts/0 Jan 09 09:13 .
root + pts/1 Jan 11 08:28 old
root + pts/0 Jan 13 14:26 .
root + pts/0 Jan 13 14:49 .
root + pts/0 Jan 19 13:29 .
root + pts/0 Jan 20 09:08 .
root - ssh Jan 20 13:25 ?
root + pts/0 Jan 23 10:17 .
root + pts/1 Jan 24 10:10 old
root + pts/1 Jan 24 10:13 old
root + pts/1 Jan 24 10:13 old
root - ssh Feb 02 10:53 ?
root - ssh Feb 06 09:09 ?
root + pts/0 Feb 16 12:20 .
root + pts/0 Feb 16 12:20 .
UNKNOWN_ + pts/0 Feb 16 12:20 .
root - ssh Feb 17 14:12 ?
root - ssh Apr 13 14:59 ?
root - ssh Apr 27 09:17 ?
root - FTP Jun 14 13:57 ?
root - ssh Jul 12 13:59 ?
root - ssh Jul 20 15:43 ?
root - ssh Jul 25 13:22 ?
root - ssh Jul 25 13:35 ?
root - FTP Jul 25 14:19 ?
root - FTP Jul 25 14:19 ?
root - FTP Jul 25 14:20 ?

Shane