Re: bad login tracking
Quoting Chad A. Adlawan (chadi@archangel.8eight8.net.ph):
> hello all,
> when i invoke 'lastb', i get the following output :
>
> UNKNOWN ttyp1 ruf2-6.evoserve. Tue Jul 27 21:13 - 21:13 (00:00)
> chadi ttyp1 ruf2-6.evoserve. Tue Jul 27 21:12 - 21:12 (00:00)
>
> that is, UNKNOWN for someone who tried to enter a non-exixtent username (w/ reference to /etc/passwd) and the "chadi" field for someone who tried to log-in using the username "chadi" and providing the wrong password.
>
> question, is there any way for as to know as to what exactly is the 'guess' user name someone tried to enter w/c resulted in the UNKNOWN record for /var/log/btmp ?
What's the point? Do crackers try to login with their email address?
Or perhaps someone typed their password because they hadn't expected
a username prompt.
> we know that for the entry "chadi", that there really is a user chadi on the system but his password was wrongly entered. is there any way for us to capture and know what the wrongly enetered password is (guess password) and record it in some file ?
Again, what's the point. Do you ask chadi if they remember making
such a mistake?
What might be more reassuring is to check that bad logins are immediately
followed by a good one. Everyone makes typos.
Cheers,
--
Email: d.wright@open.ac.uk Tel: +44 1908 653 739 Fax: +44 1908 655 151
Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA
Disclaimer: These addresses are only for reaching me, and do not signify
official stationery. Views expressed here are either my own or plagiarised.
Reply to: