failedlogin 1

[wab62]

Hello all,

am using an aix 4.3.3 installation. in the /etc/security directory is a file named failedlogin. we're interested in retrieving information about failed login attempts, but this failed login file is not ascii, and i have found no means by way of program or script for retrieving this information in a legible format.

does anyone know how to do it?

 

[bi]

Try this:

who -a /etc/security/failedlogin >> /tmp/failedlogin.txt

 

[sbrews]

While the failedlogin file doesnt appear to provide detailed information, this is otherwise a useful tidbit - its been added to my cheats in my pilot.

 

[bi]

Thanks.

Yes, it could be more useful. If someone puts in a user name that doesn't exist, it comes up as UNKNOWN, for example. Also, it would be nice to always see either a a server name or an IP address of where the user is coming from.

Sometimes you may be able to decipher some of this additional info if you do
strings /etc/security/failedlogin | more

but it takes some interpretation.

 

[sushveer]

Hi
Besides ..using the procedured directed by "BI"

one can also find the timestamp of lastlogin/failedlogin or unsuccessful log
by using
#more /etc/security/lastlog

This is just an addendum to "bi's" direction.

sushveer
IBM certified specialist-p-series AIX5L System Administration
AIX/SOLARIS/WEBSPHERE-MQ/TIVOLI Administrator

 

[sushveer]

Hi

For checking the failed logsins...
In single step, we can use the better command syntax (for simplicity)like this
to get ascii and readable format...This too works...

#who /etc/security/failedlogin|more

That's it!

sushveer
IBM certified specialist-p-series AIX5L System Administration
AIX/SOLARIS/WEBSPHERE-MQ/TIVOLI Administrator

 

[bi]

That's much clearer and more useful. I wonder why IBM's doc said to use who -a?

 

[wab62]

thanks to all for useful and timely responses.

 

[Aaron1940]

Hello everyone,

Question: I am using AIX 4.3 and I need a listing of all the user accounts that successfully logged in in the past 30 days. Does anyone know the command?

Please help.

thanks in advance
Aaron

 

[RodKnowlton]

lsuser -a time_last_login ALL

will get the last login time for you in seconds since epoch, but converting the value to something useful isn't so easy on a stock 4.3.x machine. Do you happen to have perl installed?


Rod Knowlton
IBM Certified Advanced Technical Expert pSeries and AIX 5L
CompTIA Linux+
CompTIA Security+

 

[Aaron1940]

No i don;t have Perl installed. Is this the best view?

root time_last_login=1103920550

and some user accounts dont have have anything next to it, does it mean never logged in? Is there a way I can see accounts that have logged in the past month or have not?

 

[RodKnowlton]

Here's a routine to display the current time from epoch, from the comp.unix.shell FAQ. I don't know if AIX 4.3.x had a new enough awk for it. Please run it a few times and post the output.

awk 'BEGIN {srand();printf(%d\n,srand())}'

Rod Knowlton
IBM Certified Advanced Technical Expert pSeries and AIX 5L
CompTIA Linux+
CompTIA Security+

 

[Aaron1940]

awk 'BEGIN {srand();printf(%d\n,srand())}'
Syntax Error The source line is 1.
The error context is
BEGIN >>> {srand();printf(% <<< d\n,srand())}
awk: 0602-502 The statement cannot be correctly parsed. The source line is 1.

 

[RodKnowlton]

oops...make that printf("%d\n",

Rod Knowlton
IBM Certified Advanced Technical Expert pSeries and AIX 5L
CompTIA Linux+
CompTIA Security+

 

[ggauthier]

from bi:
=
Yes, it could be more useful. If someone puts in a user name that doesn't exist, it comes up as UNKNOWN, for example. Also, it would be nice to always see either a a server name or an IP address of where the user is coming from.
=

That it states "UNKNOWN" if a user name doesn't exist is a security feature. It protects those in a hurry who mistakingly type their password first when loggin on.

I agree, it would be helpful to list the IP address/resolved name for those UNKNOWN attempts.

FYI "who" lists the file from oldest to newest; running "last -f /etc/security/failedlogin" will list from newest to oldest. The same fields are available, in a different order, and the date/time attempts to include a duration of connection - this seems to work well for those that have success after a failure.

Regards.
Glenn

 

[vivek1712]

perl -e 'print scalar localtime(give epoch second here) , "\n";'

but it needs perl to be installed.

rgds,
viv

 

[gman10]

hello all-

Just a general novice AIX novice question.. What does the term epoch do?

thx to all
gman

 

[RodKnowlton]

From the Jargon File:

1. <operating system> (Probably from astronomical timekeeping)
A term used originally in Unix documentation for the time
and date corresponding to zero in an operating system's
clock and timestamp values.

Under most Unix versions the epoch is 1970-01-01 00:00:00 GMT;
under VMS, it's 1858-11-17 00:00:00 (the base date of the US
Naval Observatory's ephemerides); on a Macintosh, it's
1904-01-01 00:00:00.

Rod Knowlton
IBM Certified Advanced Technical Expert pSeries and AIX 5L
CompTIA Linux+
CompTIA Security+