Housekeeping /etc/security/failedlogin

[columb]

Can anyone see any problems with

#!/bin/ksh
/usr/sbin/acct/fwtmp < /etc/security/failedlogin | tail -100 > /tmp/failedlogin.$$
/usr/sbin/acct/fwtmp -ic < /tmp/failedlogin.$$ > /etc/security/failedlogin
rm /tmp/failedlogin.$$

Our failedlogin files are taking up far too much of the root filesystem.

Ceci n'est pas une signature
Columb Healy

 

[mrn]

The first question I have is why do you have so many failed logins, Under attack? Stupid users? Passwords to difficult to remember?

Thought about using SSH?

Mike

"Whenever I dwell for any length of time on my own shortcomings, they gradually begin to seem mild, harmless, rather engaging little things, not at all like the staring defects in other people's characters."

 

[unclebrian]

I agree with Mike's question as to why. But if failedlogin is being managed you could try the following run weekly

cd /etc/security
mv failedlogin4 failedlogin5
mv failedlogin3 failedlogin4
mv failedlogin2 failedlogin3
mv failedlogin1 failedlogin2
mv failedlogin failedlogin1
>failedlogin

The same can be done with /var/adm/wtmp as it eats space if not controlled

 

[RodKnowlton]

columb,

What you proposed will work, but you should do it at as off-peak a time as possible. There's a race condition there that could cause any failed logins that occur between the two commands to be lost.

You should also, as Mike suggested, make sure you know why failedlogins is so large.

- Rod


IBM Certified Advanced Technical Expert pSeries and AIX 5L
CompTIA Linux+
CompTIA Security+

A Simple Code for Posting on the Web

 

[columb]

I've ended up doing quite a bit of work on this.

Firstly the scale of the problem. Across our systems the various utmp, wtmp and failed login files have sizes

b04001:-rw-r--r--   1 root     system        36288 20 Nov 15:58 /etc/utmp
b04001:-rw-rw-r--   1 adm      adm           49896 20 Nov 15:58 /var/adm/wtmp
b04001:-rw-r--r--   1 root     system      8431128 20 Nov 15:25 /etc/security/failedlogin

b04201:-rw-r--r--   1 root     system        39528 20 Nov 15:48 /etc/utmp
b04201:-rw-rw-r--   1 adm      adm           45360 20 Nov 15:56 /var/adm/wtmp
b04201:-rw-r--r--   1 root     system      7255008 20 Nov 15:24 /etc/security/failedlogin

b04401:-rw-r--r--   1 root     system        39528 20 Nov 15:58 /etc/utmp
b04401:-rw-rw-r--   1 adm      adm           77112 20 Nov 15:58 /var/adm/wtmp
b04401:-rw-r--r--   1 root     system      8295048 20 Nov 15:25 /etc/security/failedlogin

b04601:-rw-r--r--   1 root     system        46656 20 Nov 15:44 /etc/utmp
b04601:-rw-rw-r--   1 adm      adm           33696 20 Nov 15:44 /var/adm/wtmp
b04601:-rw-r--r--   1 root     system     33949368 20 Nov 10:03 /etc/security/failedlogin

b04801:-rw-r--r--   1 root     system        27216 20 Nov 14:48 /etc/utmp
b04801:-rw-rw-r--   1 adm      adm           11664 20 Nov 14:48 /var/adm/wtmp
b04801:-rw-r--r--   1 root     system        74520 20 Nov 09:43 /etc/security/failedlogin

b05001:-rw-r--r--   1 root     system        24624 20 Nov 15:49 /etc/utmp
b05001:-rw-rw-r--   1 adm      adm        27854928 20 Nov 15:49 /var/adm/wtmp
b05001:-rw-r--r--   1 root     system      4108320 20 Nov 15:07 /etc/security/failedlogin

b05201:-rw-r--r--   1 root     system        84888 20 Nov 15:58 /etc/utmp
b05201:-rw-rw-r--   1 adm      adm          110160 20 Nov 15:58 /var/adm/wtmp
b05201:-rw-r--r--   1 root     system     18086328 20 Nov 15:52 /etc/security/failedlogin

b05401:-rw-r--r--   1 root     system        58320 20 Nov 15:51 /etc/utmp
b05401:-rw-rw-r--   1 adm      adm        54613440 20 Nov 15:51 /var/adm/wtmp
b05401:-rw-r--r--   1 root     system     10415304 20 Nov 15:25 /etc/security/failedlogin

b05601:-rw-r--r--   1 root     system        22032 Nov 20 07:16 /etc/utmp
b05601:-rw-rw-r--   1 adm      adm        57308472 Nov 20 07:16 /var/adm/wtmp
b05601:-rw-r--r--   1 root     system      2572560 Oct 23 15:36 /etc/security/failedlogin

b05801:-rw-r--r--   1 root     system        22032 20 Nov 07:17 /etc/utmp
b05801:-rw-rw-r--   1 adm      adm        31809024 20 Nov 07:17 /var/adm/wtmp
b05801:-rw-r--r--   1 root     system      2297808 31 Oct 11:23 /etc/security/failedlogin

As you can see, on some of the systems the failed login file is in excess of 10Mb.

I still haven't worked out why but the growth basically stems from when we migrated to ssh using PuTTY as the ssh client. Of the options offered I think 'stupid users' is th emost likely but the jury's still out.

I tried my original proposal and it broke the file. All I can say is that fwtmp does NOT work as advertised. I ended up with a perl script which looks like

#!/bin/perl -w
use strict;
use Data::Dumper;
use User::Utmp;

User::Utmp::utmpname ( "/etc/security/failedlogin" );
my %users;
foreach ( User::Utmp::getut() )
  {
  exists $users{ $_->{'ut_user'}} or  $users{ $_->{'ut_user'}} = $_, next;
  $_->{'ut_time'} > $users{ $_->{'ut_user'}}->{'ut_time'} and
    $users{ $_->{'ut_user'}} = $_;
  }
unlink "/etc/security/failedlogin";
foreach ( values %users )
  { User::Utmp::pututline ( $_ ); }

For those not able to read my undocumented code it goes through /etc/security/failedlogin, keeps the last entry for each user and then writes it back. This will keep the security boys off my back. I'm busy writing a perl script which will count entries per user which should help track down the 'why' - more news as it happens.

Ceci n'est pas une signature
Columb Healy

 

[columb]

Last piece of the jigsaw. Every so often the security team do what they describe as a 'security probe' and this fills the failedlogin so maybe 'attack' was the best answer.

Ceci n'est pas une signature
Columb Healy

 

[Alexwhatever]

Columb,

This raises a couple of issues:

Firstly, your security guys should be testing systems AND processes. If they are filling your failedlogin file then they are performing a brute-force attack. If they are testing the system then they should just be testing to determine whether or not the system actively prevents this type of attack using mechanisms such as fail2ban or account lock-outs, etc. If they are testing processes then they should be checking to determine whether or not the appropriate person notices and responds to this sudden jump in failed login attempts. Another check of processes is to check for enforcement of password strength - a brute-force attack is a very, very messy way to do this. They should ask you for the shadow password file and run it through an offline cracker to check that all passwords meet requirements.

Following on - delve a little deeper - are they attempting a brute-force of different users' accounts, or simply a list of default/likely accounts (root, mail, ftpuser, etc.). If the former then you have to question the validity of this test - where would an attacker get this information and what are they attempting to prove/disprove?

All in all, this sounds a little suspect for a test, UNLESS they are testing your response to this kind of attack...

Regards,

Alex