Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EX/QFX] Interpreting "login-attempts" for local logins in Junos OS

0

0

Article ID: KB35298 KB Last Updated: 06 Dec 2019Version: 1.0
Summary:

This article explains what the login-attempts file consists of in Junos OS and how to interpret its contents, which would be useful to determine the user that attempted to log in to a device, thus causing the account to be locked out.

Symptoms:

Incorrect and illegal login attempts are recorded in a file called login-attempts on devices that run the Junos OS under the /var/db directory. Each time there is an incorrect or illegal login, a new entry will be made in this file. An example is as follows:

{master:0}
root> file show /var/db/login-attempts           
Nov 18 16:57:22
74 111 104 110 95 68 111 101 |1

However, the entries in the file are displayed as pure numbers so it may be difficult for users to determine the usernames from them.

Solution:

The numbers used in this file represent ASCII printable codes. In other words, each decimal integer indicates an uppercase or a lowercase letter or a special character.

For example, consider that user John_Doe tried to log in to a switch at 16:57:36 on November 18, which would be indicated by the logs as follows:

Nov 18 16:57:36   sshd: SSHD_LOGIN_FAILED: Login failed for user 'John_Doe' from host 'X.X.X.X'
Nov 18 16:57:46   sshd[27808]: LIBJNX_LOGIN_ACCOUNT_LOCKED: Account for user 'John_Doe' has been locked out from logins
Nov 18 16:57:46   sshd: SSHD_LOGIN_FAILED: Login failed for user 'John_Doe' from host 'X.X.X.X'

According to the logs, user John_Doe did not enter the correct password so the system locked the user out. A corresponding entry for this attempt will then be generated in login-attempts file as below.

{master:0}
root> file show /var/db/login-attempts  
Nov 18 16:57:38
74 111 104 110 95 68 111 101 |2

In this example, integer "74" represents ASCII printable code "74," which corresponds to the uppercase letter "J". Similarly integer "111" represents lowercase "o", "104" lowercase "h," "110" lowercase "n," 95 the "underscore character," 68 uppercase "D," 111 lowercase "o," and 101 lowercase "e."

The number "2" that follows "|" indicates that user "John_Doe" input the password incorrectly twice. "John_Doe" will, therefore, be prevented from logging in to the system again if he inputs his password wrongly for the third time.

Another example would be to log in with a fake username:

Nov 18 17:09:34   sshd: SSHD_LOGIN_FAILED: Login failed for user 'dlawejnf' from host 'X.X.X.X'
Nov 18 17:09:44   sshd: SSHD_LOGIN_FAILED: Login failed for user 'dlawejnf' from host 'X.X.X.X'
Nov 18 17:09:58   sshd[32040]: LIBJNX_LOGIN_ACCOUNT_LOCKED: Account for user 'dlawejnf' has been locked out from logins

{master:0}
root> file show /var/db/login-attempts           
Nov 18 17:10:01
100 108 97 119 101 106 110 102 |3

The same interpretation rule as above also applies in this example.

ASCII       100    108    97    119    101   106    110   102       

Letters     d        l         a      w       e       j         n       f  

Note: Nothing will be recorded in the login-attempts file if the user inputs the correct password.

Nov 18 17:06:12   sshd[30859]: LIBJNX_LOGIN_ACCOUNT_UNLOCKED: Account for user 'John_Doe' has been unlocked for logins    <<<<<< 
{master:0}
root> file show /var/db/login-attempts    <<<<<
Nov 18 17:06:15

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search