Learn how to extract list of bad/wrong login attempts made on HPUX server from btmps file. Useful for audit purpose and troubleshooting account management.
To check bad / wrong login attempts done on HPUX server.
HPUX server logs all wrong logins information in /var/adm/btmps file. This file is data file hence commands like cat, more wont work for this file. To read data within this file use below command
# /usr/sbin/acct/fwtmp -X < /var/adm/btmps > /tmp/badlogins.log
This will convert data in btmps file in human readable format (binary to ASCII). Later you can cat or more output file and investigate bad logins.
# cat /tmp/badlogins.log
root pts/ta 12127 0 0000 0000 1190171137 0 Sep 19 11:05:37 2007 0 10.105.100.89 10.105.100.89
root pts/tb 13964 0 0000 0000 1190174185 0 Sep 19 11:56:25 2007 0 10.105.100.89 10.105.100.89
Important fields here are :
- ID which tried to log in
- Terminal from which attempt was made
- Date time stamp when attempt was made
- IP from which attempt came to server (last field)
- System epoch time (7th column)
If you are looking for easy way out and do not wish to dig more into data values, you can use btmp as well. This gives out pretty short and formatted output which is useful for quick look on login attempts.
test ssh:notty Fri Oct 7 11:21
user1 ssh:notty Sat Oct 1 15:24
user4 ssh:notty Tue Aug 30 18:57
----- output truncated -----
root pts/tb Wed Sep 19 11:56
root pts/ta Wed Sep 19 11:05
BTMPS_FILE begins at Wed Sep 19 11:05:37
In above output you can see btmp file is being read by command and username, terminal and timestamp is being extracted to output.