The post outlines steps to capture failed tty type logins such as telnet, rlogin, and terminal logins. This post does not cover logging Common Desktop Environment (CDE) logins or ssh logins. Invalid login attempts are logged to /var/adm/loginlog (if it exists) and/or syslog via the auth.notice facility.
The /var/adm/loginlog file does not exist by default; it must be created. It must be owned by root and group sys, and must have read and write permissions for the owner only:
# touch /var/adm/loginlog # chown root:sys /var/adm/loginlog # chmod 600 /var/adm/loginlog # ls -l /var/adm/loginlog -rw------- 1 root sys 0 Jun 26 10:39 /var/adm/loginlog
See loginlog manpage for additional info.
Add a line similar to the following in /etc/syslog.conf:
Stop and restart syslogd after any changes to /etc/syslog.conf:
Solaris 9 and earlier
# /etc/init.d/syslog stop # /etc/init.d/syslog start
Solaris 10 and newer
# svcadm disable svc:/system/system-log # svcadm enable svc:/system/system-log
The /etc/default/login environment variables
RETRIES=5 – This variable controls how many attempts before the tty line is disconnected. Keep in mind that this does not disable the account. The user can always reconnect and make another 5 attempts.
SYSLOG_FAILED_LOGINS=5 – This sets the number of failed attempts before logging via the auth.notice facility in syslog is done. Setting this variable to 0 (zero) will log all bad login attempts.