LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices



Reply
 
Search this Thread
Old 11-05-2003, 02:37 AM   #1
huangyanfeng
LQ Newbie
 
Registered: Oct 2003
Posts: 11

Rep: Reputation: 0
Post How to know if there any other user try to 'su' but with invalid password?


If i login as root, when other users try to change to root by typing 'su' but with invalid password, how could I know who is tring ?
 
Old 11-05-2003, 03:19 AM   #2
hw-tph
Senior Member
 
Registered: Sep 2003
Location: Sweden
Distribution: Debian
Posts: 3,032

Rep: Reputation: 57
Check /var/log/auth.log.
If someone tries to su to root and fails you will find something like this in the auth.log:
Code:
Nov  5 09:15:08 baron su(pam_unix)[578]: authentication failure; logname=hw uid=1000 euid=0 tty=pts/1 ruser=hw rhost=  user=root
Nov  5 09:15:10 baron su[578]: pam_authenticate: Authentication failure
Nov  5 09:15:11 baron su[578]: - pts/1 hw-root
logname = the user that tried to become root
uid = the user's user id
tty = From where the user tried su'ing to root (pts/1 is virtual console, i.e. an SSH session)
user = the username the user tried to su to (usually root)

Håkan
 
Old 11-05-2003, 11:02 AM   #3
Flibble
Member
 
Registered: Mar 2002
Distribution: Redhat 9.0, Debian, Knoppix, YellowDog
Posts: 142

Rep: Reputation: 15
Pump the auth.* stuff into syslog and set up your syslog daemon to forward to a remote host. That way even if they are successful it will get logged over the network to a different machine that they won't have access to.

If you log it locally and they do get in then all bets are off.

Flibble
 
Old 11-05-2003, 11:05 AM   #4
trickykid
Guru
 
Registered: Jan 2001
Posts: 24,133

Rep: Reputation: 199Reputation: 199
In some cases it could be sending these logs to a sulog in /var/log directory. Just depends on your default setup and what distro your using, etc.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
su cannot su from root to any user: invalid password BassJunkie Linux - Security 3 02-27-2009 01:33 PM
Added a user, now root says "invalid password" gallwapa Linux - Security 20 10-17-2005 05:13 PM
My server crashed after "Failed password for invalid user john from ::ffff:XX.XX" guarriman Linux - General 1 10-11-2005 11:18 AM
where does 'su' look to determine if a user exists? MisterESauce Linux - Software 5 04-13-2005 10:18 AM
squirremail ...it says invalid user or invalid password. rnj Fedora 9 10-25-2004 10:56 PM


All times are GMT -5. The time now is 12:15 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration