Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!mailrus!ames!killer!vector!rpp386!jfh
From: jfh@rpp386.Dallas.TX.US (The Beach Bum)
Newsgroups: comp.unix.wizards
Subject: Re: My guide to fascist syslogging (or how I caught the internet worm)
Message-ID: <9120@rpp386.Dallas.TX.US>
Date: 4 Dec 88 20:05:30 GMT
References: <1326@helios.ee.lbl.gov> <1988Nov30.170027.15960@utzoo.uucp> <2428@cbnews.ATT.COM>
Reply-To: jfh@rpp386.Dallas.TX.US (The Beach Bum)
Organization: Big "D" Home for Wayward Hackers
Lines: 19

In article <2428@cbnews.ATT.COM> lvc@cbnews.ATT.COM (Lawrence V. Cipriani) writes:
>In article <1988Nov30.170027.15960@utzoo.uucp> henry@utzoo.uucp (Henry Spencer) writes:
>>But be careful that your logs are secure.  It is a verifiable fact that
>>people sometimes type passwords instead of login names, due to slow response
>>or confusion or etc.
>
>Good point.  In the login logging I wrote the login name is recorded only if
>it is a legal login name, other wise "unknown" is recorded.  This is done for
>precisely the reason you gave.

In a previous life, I added a field to lastlog.h to include the number of
failed login attempts and the tty the attempt was made on, along with the
time of the last failed attempt.  A large number of failures on dialup or
PC lines would help indicate someone was up to no good.
-- 
John F. Haugh II                        +-Cat of the Week:--------------_   /|-
VoiceNet: (214) 250-3311   Data: -6272  |Aren't you absolutely sick and \'o.O'
InterNet: jfh@rpp386.Dallas.TX.US       |tired of looking at these damn =(___)=
UucpNet : !killer!rpp386!jfh  +things in everybody's .sig?-------U---