>UNKNOWN ttyp1 ruf2-6.evoserve. Tue Jul 27 21:13 - 21:13 (00:00) >chadi ttyp1 ruf2-6.evoserve. Tue Jul 27 21:12 - 21:12 (00:00) > > question, is there any way for as to know as to what exactly is the 'guess' > user name someone tried to enter w/c resulted in the UNKNOWN record for /var/ >log/btmp ? > we know that for the entry "chadi", that there really is a user chadi on th >e system but his password was wrongly entered. is there any way for us to cap >ture and know what the wrongly enetered password is (guess password) and recor >d it in some file ?
in /etc/login.defs, the following line controls whether unknown usernames are recorded: # # Enable display of unknown usernames when login failures are recorded. # LOG_UNKFAIL_ENAB no To get unknown passwords, you have to edit the source. Note that this is a Bad Idea (to get the usernames or passwords) since it tends to 1) give you a list of the users' passwords and 2) give others a well-known place to look for them too. Any user can run lastb. Carl
