How to know if there any other user try to 'su' but with invalid password?
If i login as root, when other users try to change to root by typing 'su' but with invalid password, how could I know who is tring ?
|
Check /var/log/auth.log.
If someone tries to su to root and fails you will find something like this in the auth.log: Code:
Nov 5 09:15:08 baron su(pam_unix)[578]: authentication failure; logname=hw uid=1000 euid=0 tty=pts/1 ruser=hw rhost= user=root uid = the user's user id tty = From where the user tried su'ing to root (pts/1 is virtual console, i.e. an SSH session) user = the username the user tried to su to (usually root) Håkan |
Pump the auth.* stuff into syslog and set up your syslog daemon to forward to a remote host. That way even if they are successful it will get logged over the network to a different machine that they won't have access to.
If you log it locally and they do get in then all bets are off. Flibble |
In some cases it could be sending these logs to a sulog in /var/log directory. Just depends on your default setup and what distro your using, etc.
|
All times are GMT -5. The time now is 04:21 AM. |