Shulou(Shulou.com)06/02 Report--

The content of this article mainly focuses on what is the login method of monitoring failure on Linux. The content of the article is clear and clear. It is very suitable for beginners to learn and is worth reading. Interested friends can follow the editor to read together. I hope you can get something through this article!

Repeated failed login attempts on the Linux server may indicate an attempt to break into the account, or simply mean that someone has forgotten or typed the wrong password. Here's how to check for failed login attempts and check the system settings to see when the account is locked to handle the problem.

The first thing you need to know is how to check whether the login failed. The following command looks for signs of login failure in the / var/log/auth.log file used on Ubuntu and related systems. When someone tries to log in with a misspelled or misspelled password, the failed login is displayed with the following line:

$sudo grep "Failed password" / var/log/auth.log | head-3 Nov 17 15:08:39 localhost sshd [621893]: Failed password for nemo from 192.168.0.7 port 8132 ssh3 Nov 17 15:09:13 localhost sshd [621893]: Failed password for nemo from 192.168.0.7 port 8132 ssh3

You can use this command to summarize failed logins by account:

$sudo grep "Failed password" / var/log/auth.log | grep-v COMMAND | awk'{print $9}'| sort | uniq-c 22 nemo 1 shs 2 times:

This command summarizes failed logins by user name (column 9 of the grep output). It avoids looking at lines that contain the word "COMMAND" and skips queries that contain the phrase "Failed passwords" (such as the person who runs the command running above). The "times:" string indicates that there are more repeated attempts than reported. These come from lines that contain "message repeats 5 times:", which may be added to the log file after typing the wrong password several times in quick succession.

Another aspect you may want to check is where the failed login attempt came from. To do this, as shown in this example, change the field you focus on from the ninth to the eleventh:

$sudo grep "Failed password" / var/log/auth.log | grep-v COMMAND | awk'{print $11}'| sort | uniq-c 23 192.168.0.7

For example, if you find that multiple users' failed logins come from a single system, this may be particularly suspicious.

In RHEL, Centos, and related systems, you can find messages related to failed logins in the / var/log/secure file. You can count using basically the same query as above. Just change the file name, as follows:

$sudo grep "Failed password" / var/log/secure | awk'{print $9}'| sort | uniq-c 6 nemo

Check the settings in the / etc/pam.d/password-auth and / etc/pam.d/system-auth files. Adding such a line enforces your settings.

Check faillog

You may have followed the faillog command, but the / var/log/faillog file it looks at doesn't seem to be in use on many systems today. If you use the faillog-a command, you will get output similar to the one shown below listing 12-31-69 in the time column, which is obviously not used.

Faillog-a Login Failures Maximum Latest On root 00 19:00:00 on 12-31-69 19:00:00-0500 daemon 00 12-31-69 19:00:00-0500 bin 00 12-31-69 19:00:00-0500 sys 00 12-31-69 19:00:00-0500

The date and time displayed can be traced back to the beginning of the Unix (01Universe 01TX 70)-which may have been corrected for the local time zone. If you run the command shown below, you can verify that the file is not empty, but does not contain the actual data:

$ls-l / var/log/faillog-rw-r--r-- 1 root root 32576 Nov 12 12:12 / var/log/faillog $od-bc / var/log/faillog 0000000 000000 000000 000000000000000000000000000000\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0 * 0077500

If the faillog file is indeed in use, you should see the most recent activity without mentioning the 1969 error prompt.

How to respond?

There are many reasons for failed login. It may be that one of your users tried to log in with the uppercase lock key turned on and didn't notice it. Maybe the user recently changed the password, but forgot to change the password and tried to use the old password. Maybe the user is trying to use the password on another system. If you often have a specific account when running a query, you should investigate it. However, occasional failed login attempts are common.

Check settin

To see how the system is set up to handle failed logins, check the / etc/pam.d/common-auth file. It is used in systems with Linux pluggable authentication module (PAM). The two settings in this file control how many failed login attempts are allowed before the account is temporarily locked and how long the account is locked.

After six failed login attempts, such a line causes PAM to lock the account. The lock time will last five minutes (300 seconds).

Auth required pam_tally2.so deny=6 unlock_time=300 thank you for your reading. I believe you have some understanding of the problem of "what is the login method for monitoring failures on Linux". Go ahead and practice it. if you want to know more about it, you can follow the website! The editor will continue to bring you better articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.