Hi all,
I want to write a script to email me when a user account gets locked. I've found the log messages in /var/log/messages, here's a sample of what's in there after I did some testing:
Aug 28 20:05:23 server1 sshd[6555]: pam_tally2(sshd:auth): user test1 (503) tally 22, deny 12
Aug 28 20:05:26 server1 sshd[6555]: Failed password for test1 from 192.168.0.2 port 58846 ssh2
Aug 28 20:05:31 server1 sshd[6556]: Connection closed by 192.168.0.2
Aug 28 21:32:22 server1 sshd[6758]: pam_tally2(sshd:auth): user test1 (503) tally 24, deny 12
Aug 28 21:32:24 server1 sshd[6758]: Failed password for test1 from 192.168.0.2 port 63359 ssh2
Aug 28 21:32:40 server1 sshd[6758]: Accepted password for test1 from 192.168.0.2 port 63359 ssh2
Aug 28 21:32:41 server1 sshd[6758]: pam_unix(sshd:session): session opened for user test1 by (uid=0)
Aug 28 21:32:44 server1 sshd[6758]: pam_unix(sshd:session): session closed for user test1
Aug 28 21:33:03 server1 unix_chkpwd[6792]: password check failed for user (test1)
Aug 28 21:33:03 server1 sshd[6789]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.2 user=test1
Aug 28 21:33:05 server1 sshd[6789]: Failed password for test1 from 192.168.0.2 port 63360 ssh2
Aug 28 21:36:16 server1 unix_chkpwd[6803]: password check failed for user (test1)
I believe the line indicating an account has been locked includes the text "Failed password for", but there's nothing in the log specifically states that, nor can I find any documentation that specifically states that verbiage is what dictates an account is locked.
If anyone can confirm or deny this for me I'd appreciate it.
Pls help identify locked user acounts in /var/log/messages
-
fla_panther
- Posts: 42
- Joined: 2015/08/27 21:15:03