VMware Cloud Community
Erwin_Zoer
Contributor
Contributor
‎12-10-2007 04:28 AM

How to enable last failed login message during logon?

Hello,

For a project I am working on, one of the requirements is to log the previous succesful and unsuccesful logon sothat users have a means to verify that their account has not been misused. The desired result would show something like this after logging on:

Last login: Mon Dec 10 12:56:13 2007 from mymachine.cust.com

Last failed login: Mon Dec 10 12:20:28 2007 from 193.12.23.8

The product used during the project is VMware ESX server 3.02 with update patch 1. Enabling the previous succesful logon has been fairly simple by specifying the following option in /etc/login.defs:

LASTLOG_ENAB yes

After reading various (man) pages on the subject, I added the following lines to /etc/login.defs to enable displaying the previous failed login information:

FAILLOG_ENAB yes

LOG_UNKFAIL_ENAB yes

However, this did not yield the desired result.

Thinking that this information must be coming from somewhere, I researched various possibilities and found that one of the following sources would probably be used:

- /var/log/btmp

- /var/log/faillog

I setup /var/log/btmp by touch-ing it. This did not yield the desired result. The file remained empty and no bad login information was displayed at logon time. After that, I modified /etc/pam.d/system-auth and added the following lines to enable logging to /var/log/faillog:

account required /lib/security/$ISA/pam_tally.so deny=3 no_magic_root

auth required /lib/security/$ISA/pam_tally.so no_magic_root

Although, faillog now functioned correctly, the bad login information still was not displayed at login time. For example:

# faillog -u useraccount

Username Failures Maximum Latest

useraccount 1 0 Mon Dec 10 14:24:22 +0100 2007 on mymachine.cust.com

At this point I am clueless how to resolve this issue and would appreciate some suggestions.

Best regards,

Erwin

0 Kudos
9 Replies
Texiwill
Leadership
Leadership
‎12-10-2007 06:16 AM

Hello,

To get the information you require you will have to do some scripting around faillog so that it reports the proper information. YOu could do something like:

$fai = `faillog -u $USERNAME`

$foo=`last|grep $USERNAME|tail -1`

You would then format the strings as appropriate... $fai holds the last failed attempt and $foo holds the last login.... Faillog itself will not display what you want. the -u $USERNAME outputs the last failed login while the last displays the last login for the user. You will need to use both faillog and last to get the appropriate information and then format it appropriately.

Be aware that the wtmp file gets rotated monthly so the on the cusp logins will be ignored, you can not find the last login if there is a month boundary. Also, this is in reality more a Linux question than a ESX question and you should refer to the redhat documentation/forums for more information.

Best regards,

Edward L. Haletky, author of the forthcoming 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', publishing January 2008, (c) 2008 Pearson Education. Available on Rough Cuts at http://safari.informit.com/9780132302074

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Erwin_Zoer
Contributor
Contributor
‎12-11-2007 08:12 AM

Hello,

First of all thanks for taking the time to answer my question.

I understand that this question is more of a Linux nature than a ESX nature. However, VMware provided this interface and, according to it's own sources, customized it heavily in order to make it more robust and secure than a default installation of Linux. This customization may be at the heart of the problem as it should be possible to have the last failed login displayed by just setting the following variable in /etc/login.defs

FAILLOG_ENAB yes

However, this does not appear to be the case. Continuing my research, it seems the problem may be related to the version of openssh used on VMware ESX server. Currently version 3.6 is installed and according to other sources on the Internet (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314956), this version does not log data to /var/log/btmp. I verified that this was an openssh related problem by performing bad logins through the console and found that the /var/log/btmp file was now correctly updated. This is what may be used by the login command to display previously bad logins...

Anyway, the point I'm trying to make is that it should be possible to print this information by making a change in a configuration file instead of writing a script to work-around some kind of bug and/or configuration problem. Another problem I have with the scripted solution is that I need to provide read access to the /var/log/faillog file to users on the system. Since this log file contains security sensitive information from other users on the system as well, this could be abused when a system is under attack.

If you or others have more information on this subject available, I would certainly appreciate your input.

Best regards,

Erwin

0 Kudos
Texiwill
Leadership
Leadership
‎12-11-2007 03:27 PM

Hello,

VMware provided this interface and, according to it's own sources, customized it heavily in order to make it more robust and secure than a default installation of Linux. This customization may be at the heart of the problem as it should be possible to have the last failed login displayed by just setting ...

Actually, they did not modify the Service Console RPMs very much, they just chose those that are within RedHat RHEL3 U6, which I would imagine also suffers from this without first patching the environment. The provided more commands and a better firewall script and some changes to the RHEL kernel, but all the other packages are the same, just less of them.

You have four possibilities: Upgrade to a version of OpenSSH that has the patch, use a script to work around the issue, open a request for enhancement with VMware, or try ESX v3.5. I would open a case with VMware and still upgrade OpenSSH. Tomorrow or thursday, I will upgrade to ESX v3.5 and let you know the result, perhaps there is a new version of OpenSSH.

Best regards,

Edward L. Haletky, author of the forthcoming 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', publishing January 2008, (c) 2008 Pearson Education. Available on Rough Cuts at http://safari.informit.com/9780132302074

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
Texiwill
Leadership
Leadership
‎12-14-2007 07:47 AM

Hello,

The version of OpenSSH for ESX is still v3.6. Granted it is a VMware RPM most likely to add in new ciphers, however, they did not include btmp support. The suggestion is to put in a request for enhancement to VMware for them to upgrade to OpenSSH v4.

Best regards,

Edward L. Haletky, author of the forthcoming 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', publishing January 2008, Copyright 2008 Pearson Education. Available on Rough Cuts at http://safari.informit.com/9780132302074

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
Tech_carrefour
Contributor
Contributor
‎02-24-2009 10:41 AM

Is the "FAILLOG_ENAB" directive is now supported in ESX3.5 U3?

0 Kudos
Texiwill
Leadership
Leadership
‎02-25-2009 06:48 AM

Hello,

I have not seen it available. I still think you will need to use a work around.


Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
surfup
Enthusiast
Enthusiast
‎06-03-2009 04:38 PM

Edward,

I am running ESX 3.5 update 3 and I wonder how do I find out what version of openssh that ESX running? Do you know how?

Note, I used the #openssl version -v and it works for OpenSSL. But, try it for openssh is no go? Thanks.

Cheers,

0 Kudos
Texiwill
Leadership
Leadership
‎06-04-2009 07:13 AM

Hello,

rpm -q openssh

that should give you the version of the RPM.


Best regards, Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009
Now Available on Rough-Cuts: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing ESX and the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
surfup
Enthusiast
Enthusiast
‎06-04-2009 07:47 AM

Thanks much.

Cheers,

0 Kudos