If a user, me, logs into root and fails an entry is made in /var/log/ messages. Why isn't /var/log/faillog also recording these? I purposely logged into root with a dodgy password and, as root, # faillog -u root displays Username Failures Maximum Latest root 0 0 Or am I missing the concept of faillog and all it should do is pass the login failure to messages? -- del suse-linux-e
del-SLE wrote:
If a user, me, logs into root and fails an entry is made in /var/log/ messages. Why isn't /var/log/faillog also recording these? I purposely logged into root with a dodgy password and, as root,
# faillog -u root displays
Username Failures Maximum Latest root 0 0
Or am I missing the concept of faillog and all it should do is pass the login failure to messages?
Hard to say what your problem is... it's working here on SuSE 8.2 s4:/home/jimbo # faillog -a Username Failures Maximum Latest root 1 0 Fri Oct 3 07:49:54 -0700 2003 on tty6 jimbo 2 0 Fri Oct 3 07:51:44 -0700 2003 on tty4 s4:/home/jimbo # Are you actually getting anything written to /var/log/faillog? s4:/home/jimbo # strings /var/log/faillog tty6 tty4 s4:/home/jimbo # Jim
On Friday 03 Oct 2003 15:55, Jim Bonnet wrote:
Are you actually getting anything written to /var/log/faillog?
When the system is rebooted faillog updates the timestamp
s4:/home/jimbo # strings /var/log/faillog tty6 tty4 s4:/home/jimbo #
Jim
That command does nothing here. Just had a thought. Permissions here are set to easy local, Suse default, could it be that? -- del suse-linux-e
del-SLE wrote:
On Friday 03 Oct 2003 15:55, Jim Bonnet wrote:
Are you actually getting anything written to /var/log/faillog?
When the system is rebooted faillog updates the timestamp
s4:/home/jimbo # strings /var/log/faillog tty6 tty4 s4:/home/jimbo #
Jim
That command does nothing here. Just had a thought. Permissions here are set to easy local, Suse default, could it be that?
What do you have in /etc/login.defs for this? # # Enable logging and display of /var/log/faillog login failure info. # FAILLOG_ENAB yes Jim
On Friday 03 Oct 2003 17:41, Jim Bonnet wrote:
What do you have in /etc/login.defs for this?
# # Enable logging and display of /var/log/faillog login failure info. # FAILLOG_ENAB yes
Jim Yes, I have that too. And the file is updating the time stamp with failed login times as well, not just reboots. Still no changes with strings command though. Had a look at the file with vim and its one long line of ^@^@^@ and no ascii what at all. Yast, security settings has log failed and successful logins set. I also renamed the file to faillog.old to see if it was recreated, it isn't. This is on both my Suse 8.2 boxes BTW. The other one is without updates, this one is fully patched and updated. -- del suse-linux-e
del-SLE wrote:
On Friday 03 Oct 2003 17:41, Jim Bonnet wrote:
What do you have in /etc/login.defs for this?
# # Enable logging and display of /var/log/faillog login failure info. # FAILLOG_ENAB yes
Jim
Yes, I have that too. And the file is updating the time stamp with failed login times as well, not just reboots. Still no changes with strings command though. Had a look at the file with vim and its one long line of ^@^@^@ and no ascii what at all. Yast, security settings has log failed and successful logins set. I also renamed the file to faillog.old to see if it was recreated, it isn't. This is on both my Suse 8.2 boxes BTW. The other one is without updates, this one is fully patched and updated.
wierd... could it(/var/log/faillog)be corrupted?? what happens if you
/var/log/faillog to clear it out.. Then try loggin in on ctl-alt-f1 and see what happens if you fail a couple times.. if I cat faillog it has some readable text, but still garbly unless you run strings on it...
Jim
On Friday 03 Oct 2003 18:11, Jim Bonnet wrote:
wierd... could it(/var/log/faillog)be corrupted?? what happens if you >/var/log/faillog to clear it out.. Then try loggin in on ctl-alt-f1 and see what happens if you fail a couple times.. if I cat faillog it has some readable text, but still garbly unless you run strings on it...
Jim The post seems to have lost the command. Do you mean cat /dev/null > /var/log/faillog or something else? -- del suse-linux-e
del-SLE wrote:
On Friday 03 Oct 2003 18:11, Jim Bonnet wrote:
wierd... could it(/var/log/faillog)be corrupted?? what happens if you
/var/log/faillog to clear it out.. Then try loggin in on ctl-alt-f1 and see what happens if you fail a couple times.. if I cat faillog it has some readable text, but still garbly unless you run strings on it...
Jim
The post seems to have lost the command. Do you mean cat /dev/null > /var/log/faillog or something else?
Just issue: s4:/home/jimbo # >/var/log/faillog This cleans out the old faillog making it a 0 length file Jim
On Friday 03 Oct 2003 18:15, del-SLE wrote:
wierd... could it(/var/log/faillog)be corrupted?? what happens if you >/var/log/faillog to clear it out.. Then try loggin in on ctl-alt-f1 and see what happens if you fail a couple times.. if I cat faillog it has some readable text, but still garbly unless you run strings on it...
Jim
The post seems to have lost the command. Do you mean cat /dev/null > /var/log/faillog or something else?
Renamed /var/log/faillog to faillog.old. dev nulled the file. tried login and now it logs tty2 with strings! 8-) File size is 24 bytes, that's the new file. The old file is 12048 bytes. Ok! It seems to be fine now, I'll do the same on the other box. Thanks Jim, -- del suse-linux-e
Thanks to Jim, faillog and btmp, coutesy of Ken, seem to be working. UNKNOWN tty2 Fri Oct 3 18:26 - 18:26 (00:00) UNKNOWN tty2 Fri Oct 3 18:26 - 18:26 (00:00) UNKNOWN tty2 Fri Oct 3 18:26 - 18:26 (00:00) root tty2 Fri Oct 3 18:25 - 18:25 (00:00) root tty2 Fri Oct 3 18:25 - 18:25 (00:00) root tty2 Fri Oct 3 18:25 - 18:25 (00:00) <trimmed> btmp begins Fri Oct 3 18:25:30 2003 node2:/var/log # faillog Username Failures Maximum Latest root 6 0 Fri Oct 3 18:25:59 +0100 2003 on tty2 Thanks all, -- del suse-linux-e
On Fri, 2003-10-03 at 12:41, Jim Bonnet wrote:
del-SLE wrote:
On Friday 03 Oct 2003 15:55, Jim Bonnet wrote:
Are you actually getting anything written to /var/log/faillog?
When the system is rebooted faillog updates the timestamp
s4:/home/jimbo # strings /var/log/faillog tty6 tty4 s4:/home/jimbo #
Jim
That command does nothing here. Just had a thought. Permissions here are set to easy local, Suse default, could it be that?
What do you have in /etc/login.defs for this?
# # Enable logging and display of /var/log/faillog login failure info. # FAILLOG_ENAB yes
Jim
You can also touch /var/log/btmp to creat the file and then failed logins will go into this file encrypted. You can view failed logins with the lastb command (as root). -- Ken Schneider unix user since 1989 linux user since 1994 SuSE user since 1998
On Friday 03 Oct 2003 18:18, Ken Schneider wrote:
You can also touch /var/log/btmp to creat the file and then failed logins will go into this file encrypted. You can view failed logins with the lastb command (as root).
Just done that as well, thanks. -- del suse-linux-e
The 03.10.03 at 11:48, del-SLE wrote:
If a user, me, logs into root and fails an entry is made in /var/log/ messages. Why isn't /var/log/faillog also recording these?
I tried "su -", with a wrong password, and faillog showed no error. I also tried via ssh, with the same result. However, when I tried from the text console, it did show, and the faillog file was modified. -- Cheers, Carlos Robinson
participants (4)
-
Carlos E. R.
-
del-SLE
-
Jim Bonnet
-
Ken Schneider