System Administration Guide: Security Services

ProcedureHow to Monitor All Failed Login Attempts

This procedure captures in a syslog file all failed login attempts.

  1. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Set up the /etc/default/login file with the desired values for SYSLOG and SYSLOG_FAILED_LOGINS

    Edit the /etc/default/login file to change the entry. Make sure that SYSLOG=YES is uncommented.

    # grep SYSLOG /etc/default/login
    # SYSLOG determines whether the syslog(3) LOG_AUTH facility 
    # should be used
  3. Create a file with the correct permissions to hold the logging information.

    1. Create the authlog file in the /var/adm directory.

      # touch /var/adm/authlog
    2. Set read-and-write permissions for root user on the authlog file.

      # chmod 600 /var/adm/authlog
    3. Change group membership to sys on the authlog file.

      # chgrp sys /var/adm/authlog
  4. Edit the syslog.conf file to log failed password attempts.

    The failures should be sent to the authlog file.

    1. Type the following entry into the syslog.conf file.

      Fields on the same line in syslog.conf are separated by tabs.

      auth.notice <Press Tab>  /var/adm/authlog
    2. Refresh the configuration information for the syslog daemon.

      # svcadm refresh system/system-log
  5. Verify that the log works.

    For example, as an ordinary user, log in to the system with the wrong password. Then, in the Primary Administrator role or as superuser, display the /var/adm/authlog file.

    # more /var/adm/authlog
    Nov  4 14:46:11 example1 login: [ID 143248 auth.notice] 
     Login failure on /dev/pts/8 from example2, stacey
  6. Monitor the /var/adm/authlog file on a regular basis.

Example 3–4 Logging Access Attempts After Three Login Failures

Follow the preceding procedure, except set the value of SYSLOG_FAILED_LOGINS to 3 in the /etc/default/login file.

Example 3–5 Closing Connection After Three Login Failures

Uncomment the RETRIES entry in the /etc/default/login file, then set the value of RETRIES to 3. Your edits take effect immediately. After three login retries in one session, the system closes the connection.