0

I have a Virtual Machine with CentOS 7 as OS and a database is installed on this server. there are users like dbuser for database administrators . They can login to server via ssh and has complete access to database and all of its tables and objects. There are other users that belong to developers and they have limited access to database. These users are defined with nologin:

  useradd -c 'Developer - Robert Benton' -M -s /sbin/nologin devbenton

They use applications that connects to database. A connection definition in those applications are like this:

     Database Name: TestDB
     IP: 192.123.1.1
     Port: 6500
     Username: devbenton
     Password: ********

Recently we found out that someone found a user's password with a loop by guessing and trying to login so many times. the options are to block the IP with firewall or use something like Fail2ban to block users and IPs after failed logins.

How to find out that users are doing something like that? In /var/log/secure or other log files i can't see failed login from users that use an application. I want to monitor my system but how i can do that?

Improve this question
1

1 Answer 1

Reset to default
1

/var/log/secure only tracks failed shell logins. Since you want to monitor users whose shell access is disabled (as specified by the -s /sbin/nologin argument in useradd) and that try to log in to a certain application, you will need to check the logfiles of that application. Whether this is possible, how to do that, and which files to examine depend on the application.

Note also that "failed logins from a port" doesn't mean anything. What you mean is failed network logins on an application, which is served on a specific port on the server.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.