Welcome to the most active Linux Forum on the web.
Go Back > Forums > Linux Forums > Linux - General
User Name
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.


  Search this Thread
Old 11-05-2003, 01:37 AM   #1
LQ Newbie
Registered: Oct 2003
Posts: 11

Rep: Reputation: 0
Post How to know if there any other user try to 'su' but with invalid password?

If i login as root, when other users try to change to root by typing 'su' but with invalid password, how could I know who is tring ?
Old 11-05-2003, 02:19 AM   #2
Senior Member
Registered: Sep 2003
Location: Sweden
Distribution: Debian
Posts: 3,032

Rep: Reputation: 58
Check /var/log/auth.log.
If someone tries to su to root and fails you will find something like this in the auth.log:
Nov  5 09:15:08 baron su(pam_unix)[578]: authentication failure; logname=hw uid=1000 euid=0 tty=pts/1 ruser=hw rhost=  user=root
Nov  5 09:15:10 baron su[578]: pam_authenticate: Authentication failure
Nov  5 09:15:11 baron su[578]: - pts/1 hw-root
logname = the user that tried to become root
uid = the user's user id
tty = From where the user tried su'ing to root (pts/1 is virtual console, i.e. an SSH session)
user = the username the user tried to su to (usually root)

Old 11-05-2003, 10:02 AM   #3
Registered: Mar 2002
Distribution: Redhat 9.0, Debian, Knoppix, YellowDog
Posts: 142

Rep: Reputation: 15
Pump the auth.* stuff into syslog and set up your syslog daemon to forward to a remote host. That way even if they are successful it will get logged over the network to a different machine that they won't have access to.

If you log it locally and they do get in then all bets are off.

Old 11-05-2003, 10:05 AM   #4
LQ Guru
Registered: Jan 2001
Posts: 24,149

Rep: Reputation: 235Reputation: 235Reputation: 235
In some cases it could be sending these logs to a sulog in /var/log directory. Just depends on your default setup and what distro your using, etc.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
su cannot su from root to any user: invalid password BassJunkie Linux - Security 3 02-27-2009 12:33 PM
Added a user, now root says "invalid password" gallwapa Linux - Security 20 10-17-2005 04:13 PM
My server crashed after "Failed password for invalid user john from ::ffff:XX.XX" guarriman Linux - General 1 10-11-2005 10:18 AM
where does 'su' look to determine if a user exists? MisterESauce Linux - Software 5 04-13-2005 09:18 AM
squirremail says invalid user or invalid password. rnj Fedora 9 10-25-2004 09:56 PM > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 04:32 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration