I. Presentation
We will have the opportunity to write a tutorial on the management of accounts and passwords of a server, in terms of complexity and validity. When one wants to list the attempts of failed connections, at a server, one can of course implement a real security policy. But, in a more basic way, you can also use the lastb command .
In this tutorial, we will see how to use this command to detect all unsuccessful attempts at a Linux server .
II. View successful attempts from a server
On a Linux server (more generally, on any Unix server), it is possible to display the history of the last attempts to connect to the server with the last command :
# last
We then retrieve the list of the last successful local connections on the server concerned:
NOTE : we note that we also recover the restart phases of the server in question. This can be useful also to scrutinize the differentrebootsexecuted.
But, one wonders how to recover the same kind of list for unsuccessful login attempts?
III. View unsuccessful connection attempts from a server
The answer to the above question is very simple (if you use the basic Linux commands): you can use the lastb command . Indeed, the latter makes it possible to list the various unsuccessful connection attempts for a given server.
Thus, for our server, we should receive the following result, stating that several connection attempts have been made on the server srv001 :
root ssh: notty srv001 Sat Sep 1 16:57 - 16:57 (00:00)
root ssh: notty srv001 Sat Sep 1 16:57 - 16:57 (00:00)
root ssh: notty srv001 Sat Sep 1 16:57 - 16:57 (00:00)
root ssh: notty srv001 Sat Sep 1 16:57 - 16:57 (00:00)
administ ssh: notty srv001 Sat Sep 1 16:57 - 16:57 (00:00)
administ ssh: notty srv001 Sat Sep 1 16:57 - 16:57 (00:00)
ATTENTION : this command does nothing but display the list of unsuccessful attempts. If one wishes to go further in security, it will then be necessary to set up a PAM (Pluggable Authentication Modules) policy and / or utilities such as:
IV. Conclusion
Already, with the activation of this command, we can easily determine the different types of failed attempts and then initialize the necessary countermeasures:
- attempts with account or password errors
- attempts via a robot (or bot in English)
- denial of service attempts
Most of the time, it will be indeed attempts belonging to the first category: one or more users are mistaken in the account to use or the password associated. But in other cases, it will really be necessary to configure PAM and the tools mentioned above.
