System Administration Guide: Security Services

ProcedureHow to Monitor Failed Login Attempts

This procedure captures failed login attempts from terminal windows. This procedure does not capture failed logins from a GNOME login attempt.

  1. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Create the loginlog file in the /var/adm directory.

    # touch /var/adm/loginlog
  3. Set read-and-write permissions for root user on the loginlog file.

    # chmod 600 /var/adm/loginlog
  4. Change group membership to sys on the loginlog file.

    # chgrp sys /var/adm/loginlog
  5. Verify that the log works.

    For example, log in to the system five times with the wrong password. Then, display the /var/adm/loginlog file.

    # more /var/adm/loginlog
    jdoe:/dev/pts/2:Tue Nov  4 10:21:10 2003
    jdoe:/dev/pts/2:Tue Nov  4 10:21:21 2003
    jdoe:/dev/pts/2:Tue Nov  4 10:21:30 2003
    jdoe:/dev/pts/2:Tue Nov  4 10:21:40 2003
    jdoe:/dev/pts/2:Tue Nov  4 10:21:49 2003

    The loginlog file contains one entry for each failed attempt. Each entry contains the user's login name, tty device, and time of the failed attempt. If a person makes fewer than five unsuccessful attempts, no failed attempts are logged.

    A growing loginlog file can indicate an attempt to break into the computer system. Therefore, check and clear the contents of this file regularly. For more information, see the loginlog(4) man page.