LinuxQuestions.org - How to know if there any other user try to 'su' but with invalid password?

- Linux - General (https://www.linuxquestions.org/questions/linux-general-1/)

- - How to know if there any other user try to 'su' but with invalid password? (https://www.linuxquestions.org/questions/linux-general-1/how-to-know-if-there-any-other-user-try-to-%27su%27-but-with-invalid-password-112544/)

How to know if there any other user try to 'su' but with invalid password?

If i login as root, when other users try to change to root by typing 'su' but with invalid password, how could I know who is tring ?

Check /var/log/auth.log.
If someone tries to su to root and fails you will find something like this in the auth.log:

Code:

Nov  5 09:15:08 baron su(pam_unix)[578]: authentication failure; logname=hw uid=1000 euid=0 tty=pts/1 ruser=hw rhost=  user=root

Nov  5 09:15:10 baron su[578]: pam_authenticate: Authentication failure

Nov  5 09:15:11 baron su[578]: - pts/1 hw-root

logname = the user that tried to become root
uid = the user's user id
tty = From where the user tried su'ing to root (pts/1 is virtual console, i.e. an SSH session)
user = the username the user tried to su to (usually root)

Håkan

Pump the auth.* stuff into syslog and set up your syslog daemon to forward to a remote host. That way even if they are successful it will get logged over the network to a different machine that they won't have access to.

If you log it locally and they do get in then all bets are off.

Flibble

In some cases it could be sending these logs to a sulog in /var/log directory. Just depends on your default setup and what distro your using, etc.