Re: bad login tracking
>UNKNOWN ttyp1 ruf2-6.evoserve. Tue Jul 27 21:13 - 21:13 (00:00)
>chadi ttyp1 ruf2-6.evoserve. Tue Jul 27 21:12 - 21:12 (00:00)
>
> question, is there any way for as to know as to what exactly is the 'guess'
> user name someone tried to enter w/c resulted in the UNKNOWN record for /var/
>log/btmp ?
> we know that for the entry "chadi", that there really is a user chadi on th
>e system but his password was wrongly entered. is there any way for us to cap
>ture and know what the wrongly enetered password is (guess password) and recor
>d it in some file ?
in /etc/login.defs, the following line controls whether unknown
usernames are recorded:
#
# Enable display of unknown usernames when login failures are recorded.
#
LOG_UNKFAIL_ENAB no
To get unknown passwords, you have to edit the source.
Note that this is a Bad Idea (to get the usernames or passwords)
since it tends to 1) give you a list of the users' passwords and
2) give others a well-known place to look for them too.
Any user can run lastb.
Carl
Reply to: