Learn how to extract the list of bad/wrong login attempts made on the HPUX server from btmps file. Useful for audit purposes and troubleshooting account management.
Requirement :
To check bad/wrong login attempts done on the HPUX server.
Howto :
HPUX server logs all wrong logins information in /var/adm/btmps file. This file is a data file hence commands like cat, more won’t work for this file. To read data within this file use below command
# /usr/sbin/acct/fwtmp -X < /var/adm/btmps > /tmp/badlogins.log
This will convert data in btmps file in human-readable format (binary to ASCII). Later you can cat or more output file and investigate bad logins.
# cat /tmp/badlogins.log
root pts/ta 12127 0 0000 0000 1190171137 0 Sep 19 11:05:37 2007 0 10.105.100.89 10.105.100.89
root pts/tb 13964 0 0000 0000 1190174185 0 Sep 19 11:56:25 2007 0 10.105.100.89 10.105.100.89
Important fields here are :
- ID which tried to log in
- Terminal from which attempt was made
- Date time stamp when an attempt was made
- IP from which attempt came to the server (last field)
- System epoch time (7th column)
If you are looking for an easy way out and do not wish to dig more into data values, you can use btmp as well. This gives out a pretty short and formatted output which is useful for a quick look on login attempts.
# lastb
test ssh:notty Fri Oct 7 11:21
user1 ssh:notty Sat Oct 1 15:24
user4 ssh:notty Tue Aug 30 18:57
----- output truncated -----
root pts/tb Wed Sep 19 11:56
root pts/ta Wed Sep 19 11:05
BTMPS_FILE begins at Wed Sep 19 11:05:37
In the above output you can see btmp file is being read by command and username, terminal and timestamp are being extracted to output.