2

I have a non-expiring service account on an AIX server. I use the account to connect to my database.

Every couple of weeks some user or task tries to connect to the account with the wrong password, and the account gets locked. This causes me days of delay to get the account unlocked again.

I've asked all the people who seem likely to be connecting but they all say it's not them. The AIX sysadmins tell me they can't track who is trying to connect. It is someone within our internal network.

Is there any way on AIX of tracking who is attempting the connection? Perhaps a log of IP addresses attempting connection?

Improve this question
2
  • 1
    All the people who are most likely to be locking the account deny that they or their programs are doing it. Yes, one of them is wrong, but I don't know who.
    – Payson
    Commented Mar 29, 2016 at 0:11
  • OK -- I've edited that into the question.
    – David Richerby
    Commented Mar 29, 2016 at 1:03

4 Answers 4

Reset to default
1

Right in /var/adm/syslog by default, looked like this

Dec 13 18:43:33 moscow auth|security:info sshd[14483679]: Failed password for myservacct from 192.168.0.12 port 59148 ssh2
Dec 13 18:43:38 moscow auth|security:info syslog: ssh: failed login attempt for myservacct from 192.168.0.12

a simple grep will collects failed attempts, e.g.

> tail -1000 /var/adm/syslog | grep -i failed.*myservacct

If there's no such info, check whether your /etc/syslog.conf has been set to write auth.info to your log file.

Improve this answer
0

Basically, as an administrative point of view all apps and DB team should have their own monitoring script which should do the trick to monitor the commands run by individuals and time of login.

I am an AIX administrator myself. When this same situation comes to any apps team with their common app account they would come to us and ask who has locked it? Answer : There is no straight answer for this with me but its kind of predictive answer. (May be this is the reason why this is still unanswered). I used to check all unsuccessful/failed login attempts made to that account as the users would first login to that host with their own account and then sudo to that app account. Then I would check who all are the members of that app account logged into that server at that instance. I would give them the user IDs of those users to the person who as asked for this.

Note : AIX Administrators usually checks the entries of /var/adm/wtmp and /etc/security/failedlogin to get the idea who made the login to a server and at what time and who did register a failed login.

Hope this helps a bit.

Improve this answer
0

If you can't find the information in syslog, another option is to query the user account for the last unsuccessful login attempts:

sudo lsuser -f -a time_last_unsuccessful_login tty_last_unsuccessful_login host_last_unsuccessful_login unsuccessful_login_count service-account-name-here

Sample output will be:

service-account-name-here:
        time_last_unsuccessful_login=1607709599
        tty_last_unsuccessful_login=ssh
        host_last_unsuccessful_login=10.1.2.3
        unsuccessful_login_count=1

You can convert the timestamp with GNU date or with perl:

date -d @1607709599
perl -e 'print scalar localtime 1607709599, "\n"'
Improve this answer
0

On the server, you can display the file '/etc/security/lastlog' and search with the username account desired.
There, you can find the IP host of whom is blocking your account with the variable 'host_last_unsuccessful_login'. Also display the date.
With this value, you can research who uses that IP and finally block on your network environment.

Edu

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .