Monitoring failed logins 2

[BFOJ]

I manually run the following command to view the failed logins:

who /etc/security/failedlogin

This lists all the entries, I also use tail to monitor the last few entries:

who /etc/security/failedlogin | tail -20

But what I'd really like to do is to automate this so that if I have several failed attempts either from the same user, same machine, and/or during some period of time, a message would be generated and sent to an account of my choosing to alert that individual. Any thoughts would be appreciated.

 

[bi]

There are probably some commercial monitoring tools that you could set to do this for you, but I'm assuming you need to worry about cost, right?

Of course, for several consecutive failures, you can have the system lock an account.

Here are a couple of additional ideas, but I'm not sure what the step-by-step procedures would be to implement them:

There is a script in an FAQ (faq52-2445) that is used to check errpt and send an email if there is a difference in the number of errors. (You can kick it off at boot time and use a sleep command at the end of the script to run it every five minutes or so, or you can schedule it through cron.) You might be able to adapt this script to run against /etc/security/failedlogin rather than the errpt file.

A while back I had asked here about adding an error that would be reported by errpt (thread52-368085). I never tried implementing it, but that is something else you might try to work with.

Good luck. If you come up with something good, I hope you share! (Sorry I can't come up with more concrete help.)

 

[BFOJ]

Thank you bi for your suggestions. Cost is a factor, that's why I'm checking into the possible solutions using AIX commands, etc.

I haven't tried your suggestions, but we do have our security set to lock out accounts after a number of failed attempts. However, most of the failed logins are UNKNOWN, and I'm not sure if that's even possible to lock out. The other account is root, and we currently don't want that account locked, although perhaps this creates a security gotcha.

 

[hfaix]

One suggestion (in response to you reply to bi) would be to disable rlogin for the root account and only use su to get to root. This prevents anyone from ever being able to login remotely as root. The /var/adm/sulog keeps a list of who su'd to what user and if it was successful. I agree, you don't want to lock root, ever, but you can protect it by only allowing su's or direct terminal login (not rlogin). Make sense?

What do you mean by a lot of the failed logins are UNKNOWN? UNKNOWN users or it's UNKNOWN if the accounts are locked due to failed logins?

 

[BFOJ]

Actually, we do have rlogin disabled.

Below is some data from running
who /etc/security/failedlogin

UNKNOWN_U pts/9 Aug 06 17:26
UNKNOWN_U pts/2 Aug 06 17:26
UNKNOWN_U pts/12 Aug 06 17:26
UNKNOWN_U pts/1 Aug 06 17:26
UNKNOWN_U pts/6 Aug 06 17:26
UNKNOWN_U pts/11 Aug 06 17:26
UNKNOWN_U pts/4 Aug 06 17:26
UNKNOWN_U pts/0 Aug 06 17:26
UNKNOWN_U pts/0 Aug 09 06:32

 

[hfaix]

You mentioned
" The other account is root, and we currently don't want that account locked, although perhaps this creates a security gotcha. "
so that's why I brought up the rlogin thing. You're doing that correctly.

If it's unknown, then it's unknown, right? I'm not sure how you would script it if it's unknown. When I run who /etc/security/failedlogin it gives me the pc number of the connecting user. I noticed that if I type my loginname incorrectly it comes up as unknown if I type my password wrong, it comes up with the correct login.

I guess my only suggest would be to script something that count's a users failed attemps and emails them if it gets to a certain number for a certain day. You would probably need to schedule it in cron and run it every hour (any increment). It wouldn't be an exact science, but it would give you a rough idea. I'm not sure what to do with the "unknowns" Good luck.

 

[needcoffee]

The who /etc/security/failedlogin should give you the IP or DNS of the workstation or server making the connection. Get with your workstation team and user admin teams to see who uses each PC and create a file such as /etc/security/workstationusers detailing

username DNSaddress IPaddress

You could then write a script to run under cron to look for repeated UNKNOWNS from the same address. If found it would then match the IP or DNS to the username in the above file and produce a notification that way. The only time this would not work was if a connection was made through a device that served as an intermediary such as a RAS server, MS Terminal server, etc. An auditing tool would be need on these devices to match connections.

I'll try to write a tool to do this and I'll post if successful.

Need to stock up,
needcoffee

 

[BFOJ]

It is true that either the IP or DNS of the workstation is listed and I can use that information to determine who's computer it is, so that's not the issue here. As I'd mentioned earlier, I'd been checking this manually, I was just looking for a way to automate it and email me when a threshold that I determine has been exceeded so I can figure out if this is unintentional or mischievous.

I've played around with scripting and using cron to achieve this, but haven't been successful yet.

needcoffee, I appreciate your efforts in creating a tool for this.

 

[baileyj]

Give this a try:

#!/bin/ksh
#
# Script to monitor /etc/security/failedlogin for failed login attempts
# over a time interval controled by when the script was last run.
#
#
#

maindest='name@domain'
copylist=''
integer threshold=5

checklog='/etc/security/checklog.chk'
report='/etc/security/report.chk'
templog='/tmp/temp.chk'
integer failures=0

if [[ ! -f $checklog ]]
then
print "\n\nRunning script for first time. Creating log file and terminating.\n\n"
who /etc/security/failedlogin > $checklog
exit
fi

who /etc/security/failedlogin > $templog
diff $checklog $templog | grep '^>' > $report
cp $templog $checklog
wc -l $report| read failures junk
print "\n\n$failures Failed login attempts have been recorded since last check"
print "Failure threshold is $threshold\n\n"
if [[ $failures -ge $threshold ]]
then
print "Threshold value reached/exceeded - processing alert for `hostname`"
echo "# The following failed logins have been logged since the last check ran on `hostname`:\n\n" > $templog
cat $report >> $templog
cat $templog
mail -s "Unauthorised access alert on `hostname`" -c "$copylist" $maindest < $templog
else
print "No action taken\n\n"
fi
exit



Joanne

 

[jrb23]

I was working on this issue and managed to nail it down.
The only thing i could not explain from our autditor's perspective is the logins UNKNOW_ . looks like the failedlogin does not capture any input characters besides valid users -- it happens that i have an hpux box -- hpux can capture any characters that you type in in failedlogin but it does not provide ip address or source location as with AIX it provides these.. so i guess we work on the limitations of each flavor.

below is the part of my daliy monitoring script -------the difficulty i had was one to try to get a txt output of failedlogin -- i ended using the fwtmp & then using truncate to remove all spaces.
I used who /etc/security/failedlogin and had a good output but this one does not provide the Year.

echo "17. **** Failed logins ********" >> $outfile
mth=`date +%b`
dy=`date +%e`
yday=`expr $dy - 1`
F_USERS=/tmp/test1
/usr/sbin/acct/fwtmp< /etc/security/failedlogin> /tmp/failedlog.txt
cat /tmp/failedlog.txt |tr -s " " >/tmp/test2
awk '{print $1,$2, $8, $9, $10, $11,$12, $14}' /tmp/test2 >$F_USERS
grep 2004 $F_USERS|grep "$mth $yday" >/tmp/testme
grep 2004 $F_USERS|grep "$mth $dy" >>/tmp/testme
cat /tmp/testme >>$outfile
mail -s"XXXX - Daily Monitor" sysadmin < $outfile

hope this helps

 

[BFOJ]

Kudos to baileyj for her excellent script. Worked like a champ. Created a cronjob to run this script every 30 minutes. Again, thanks baileyj.

twothumbsup

 

[RodKnowlton]

jrb23,

IBM's explanation for logging UNKNOWN_ instead of what was typed is that sometimes passwords are accidentally typed at the prompt, and they shouldn't be logged.

Given that only root and the security group can access failedlogins, I'd rather it logged what was typed, or at least the first eight characters. Like you said, we just have to work within the limitations.

Rod Knowlton
IBM Certified Advanced Technical Expert pSeries and AIX 5L

 

[hfaix]

Good post rod. One star for you.

 

[baileyj]

pleasure BFOJ.

Women in the workplace.....wink wink

Joanne