how to log logins?

[elektrozwiebel]

Is there any way to log telnet logins that come over isdn dial-in? I can see the incoming call in /var/log/messages, but the login doesn't appear. How can i do that? Or is it already logged somewhere else?

[framp]

I strongly recommend to use ssh instead of telnet! telnet is unsecure. With ssh you will get everything you're looking for

[elektrozwiebel]

I know its insecure, but its just an emergency thing if everything other fails. Our ISDN servers don't support dial-in over ssh, telnet is the only option. This is one more cause why I want to explicitly log every telnet access.

[framp]

This 'emergency thing' with no passwords changes every month is a big security hole! You should setup a VPN if you have to use telnet!

[anomie]

elektrozwiebel, if your data and/or services are valuable enough that you care about them (and would not like it if they were compromised), you do not want to be using telnet for this purpose.

I'd tell your boss / customer / whoever that some form of secure login is going to have to be implemented for exactly this reason.

Logging logins only gives you an after the fact look at what people have done (and that's if they don't manage to burn the logs). Remember: you are sending your authentication information in plain text for any disgruntled teen or criminal to grab.

[elektrozwiebel]

The server is only reachable from inside the network, so VPN is requiered anyway when logging in from outside the network. I'm also not a friend of telnet and yes, its an ugly solution. I think the whole security concept is not completely done yet.
Anyway, completely logging would not be the worst. Even if it doesn't solve the main problem.

[anomie]

Believe it or not I've never used telnet for anything other than testing services on my loopback device. (I got into the *nix game well after it was branded unsafe for network traffic and shunned.) So I'm not sure what logging facilities exist for it.

Isn't it even capturing logins under /var/log/secure?? I was under the impression all authentication was logged there (but I may be wrong).

Worst case, you could look into process accounting for Linux. That may be massive overkill, though.

And whatever server product you're using that does not support ssh logins needs to wake up and move into the 21st century.

[framp]

@anomie: Full ack

@elektrozwiebel: Even for WIN there is a ssh server available. Look for cygwin. It's for free!

[elektrozwiebel]

Its not a real server, its some network device supporting ISDN for emergency dial-ins. I didn't set this thing up and I'm not thrilled their using things like this. Anyway, the advice with /var/log/secure might work well, I'll try that. Thank you.