AIX

AIX

Connect with fellow AIX users and experts to gain knowledge, share insights, and solve problems.


#Power
#Power
 View Only

  • 1.  AIX Security - failed logins

    Posted Fri August 07, 2009 04:54 PM

    Originally posted by: dvdt


    Hello -

    I'm looking for some assistance with AIX Security. I am being asked to report on failed logins. I am running AIX 5.3 TL6 or higher.

    Currently, I am reporting failed login attempts using who /etc/security/failedlogin. However, my users all have the attribute 'loginretries=6' and after that last failed attempt, the user account attribute 'account_locked' is toggled from false to true.

    Ideally I'd like to be notified immediately if one of my user accounts has this attribute changed from false to true.

    I came up with the idea of running : 
    
lsuser -a account_locked ALL | grep -v 

false


    However if an this attribute is changed on the user account during the day (and I am not the one making the change) I am unaware of the change. This makes my method above invalid.

    Is there any magic with /etc/security/failedlogin that I'm missing?

    The icing on the cake here would be the option to exclude certain accounts such as ssh,nobody,sys,bin etc. I suppose I could do this with additional grep -v pipes but I'm looking for a more streamline approach.

    Can anyone help me out ?
    #AIX-Forum


  • 2.  Re: AIX Security - failed logins

    Posted Mon August 10, 2009 08:26 AM

    Originally posted by: tony.evans


    Run a cron job every 5 minutes to check, keep track of previous user states and compare the two, if one changes, send a mail?
    #AIX-Forum


  • 3.  Re: AIX Security - failed logins

    Posted Mon August 10, 2009 08:30 AM

    Originally posted by: dvdt


    Thanks for the reply Tony.

    Scheduling a cron job isn't a bad idea. I could certainly do that, I'm looking for something perhaps a bit easier ?

    Anyone else have any ideas ?
    #AIX-Forum


  • 4.  Re: AIX Security - failed logins

    Posted Mon August 10, 2009 08:42 AM

    Originally posted by: tony.evans


    Easier? Maybe I'm using the wrong OS. Easy in Unix is scheduling a cronjob and writing a 10 line shell script to solve all the world's evils.
    #AIX-Forum


  • 5.  Re: AIX Security - failed logins

    Posted Tue August 11, 2009 04:23 AM

    Originally posted by: Montecarlo


    You might try "lsuser -a time_last_unsuccessful_login" and check this against the value of date +"%s".
    It will be possible to pick up failed logins within an arbitrary time period regardless of the account_locked and unsuccessful_login_count values.
    Regards, Simon
    #AIX-Forum


  • 6.  Re: AIX Security - failed logins

    Posted Tue August 11, 2009 08:34 AM

    Originally posted by: dvdt


    Thanks Tony and Simon. I think I have an idea about how to implement this correctly. I will likely deploy a shell script like Tony suggested and I think Simon's suggestion will fix a problem I had not considered.

    I have to admit, I am disappointed to learn there is not a "feature" that allows me to take a specific action when an account gets locked. I was hoping for something equivalent to configuring errornotify for errpt entries.

    Thanks again.
    #AIX-Forum


  • 7.  Re: AIX Security - failed logins

    Posted Tue August 11, 2009 03:10 PM

    Originally posted by: dvdt


    Well, turns out this is some incorrect information.

    The user's account attribute 'account_locked' is not related to the failed login attempts.

    The two attributes I should be concerned with are 'loginretries' and 'unsuccessful_login_count' for my particular situation.

    So turns out after I read the silly manpage for chuser:

    loginretries - Defines the number of unsuccessful login attempts allowed after the last successful login before the system locks the account. The value is a decimal integer string. A zero or negative value indicates that no limit exists. Once the user's account is locked, the user will not be able to log in until the system administrator resets the user's unsuccessful_login_count attribute in the /etc/security/lastlog file to be less than the value of loginretries. To do this, enter the following:

    chsec -f /etc/security/lastlog -s username -a \
    unsuccessful_login_count=0
    Anyhow, after some testing today and purposefully fat fingering my password I see:

    
# lsuser -a account_locked loginretries unsuccessful_login_count dvdt account_locked=

false loginretries=6 unsuccessful_login_count=20

    It appears my script will have to compared the unsuccessful_login_count and loginretries to see which account is actually the locked.

    Does anyone have some further information regarding the account_locked attribute?
    #AIX-Forum


  • 8.  Re: AIX Security - failed logins

    Posted Tue August 11, 2009 11:11 PM

    Originally posted by: SystemAdmin


    Have a look in /etc/security. You will find the "loginretries" setting in user, and the "unsuccessful_login_count" for each user in lastlog. A simple script could be made to reset this for the offending user.
    #AIX-Forum


  • 9.  Re: AIX Security - failed logins

    Posted Wed August 12, 2009 03:48 AM

    Originally posted by: Montecarlo


    For (I suspect) historical reasons, aix supports about 4 ways of locking a user account.
    1. 'account_locked = true' in /etc/security/user
    2. passwd expiration date = 0101000070. 'expires' field in /etc/security/user
    3. '*' in /etc/passwd passwd field
    4. '*' in /etc/security/passwd passwd field
    These all require administrator action. What I normally when checking users is to ignore all users with any of these attributes set.
    account_locked can be set to true or false. false allows login, true doesn't.
    Failure messages for user or password or account locked at login time are deliberately non-committal.
    To keep track of users who have locked their own accounts you will have to compare unsuccessful_login_count to loginretries.
    Regards, Simon
    #AIX-Forum


Related Content