Saving Failed Login Attempts

You can save failed login attempts by creating the /var/adm/loginlog file with read and write permission for root only. After you create the loginlog file, all failed login activity will be automatically written to this file after five failed attempts. For detailed instructions, see How to Save Failed Login Attempts.

The loginlog file contains one entry for each failed attempt. Each entry contains the user's login name, tty device, and time of the failed attempt. If a person makes fewer than five unsuccessful attempts, none of the attempts are logged.

The loginlog file might grow quickly. To use the information in this file and to prevent the file from getting too large, you must check and clear its contents occasionally. If this file shows a lot of activity, it might suggest an attempt to break into the computer system. For more information about this file, see the loginlog(4) man page.

How to Save Failed Login Attempts

1. Become superuser or assume an equivalent role.

2. Create the loginlog file in the /var/adm directory.

   # touch /var/adm/loginlog

3. Set read and write permissions for root on the loginlog file.

   # chmod 600 /var/adm/loginlog

4. Change group membership to sys on the loginlog file.

   # chgrp sys /var/adm/loginlog

5. Make sure that the log works by attempting to log into the system five times with the wrong password. Then, display the /var/adm/loginlog file.

   # more /var/adm/loginlog rimmer:/dev/pts/1:Wed Jan 16 09:22:31 2002 rimmer:/dev/pts/1:Wed Jan 16 09:22:39 2002 rimmer:/dev/pts/1:Wed Jan 16 09:22:45 2002 rimmer:/dev/pts/1:Wed Jan 16 09:22:53 2002 rimmer:/dev/pts/1:Wed Jan 16 09:23:01 2002 #