Hello Avon,
Avon Robertson wrote on Sun, Jan 18, 2026 at 08:02:32PM +1300:
> On Sat, Jan 17, 2026 at 03:58:28PM -0700, Todd C. Miller wrote:
>> On Sun, 18 Jan 2026 11:38:06 +1300, Avon Robertson wrote:
>>> Is there a base binary that can read file /var/log/failedlogin?
I agree the file format is underdocumented:
$ man -k Pa=failedlogin
login(1) - log into the computer
While that manual page does mention the file:
If the file /var/log/failedlogin exists, login will record failed login
attempts in this file.
[...]
Immediately after logging a user in, login displays the system copyright
notice, the date and time the user last logged in, the date and time of
the last unsuccessful login (if the file /var/log/failedlogin exists),
the message of the day as well as other information.
[...]
FILES
[...]
/var/log/failedlogin failed login account records
That manual page fails to mention the file format, which, according to
/usr/src/usr.bin/login/failedlogin.c ,
is simply a (machine-dependent?) array of struct badlogin, indexed
by pw_uid. The struct itself is local to that source file, not
documented, and machine-dependent (at least i think that the format
of the time_t and size_t fields depends on endianness, and i feel
unsure whether struct padding involve have machine-dependent effects).
>>> If not, is there a ports package that can read it?
>>> TIA for your replies.
>> That file is used by login(1) to report the last failed login but
>> there isn't a separate program that uses it. One thing to be aware
>> of is that it the info gets cleared after a successful login occurs.
>>
>> I hacked up the failedlogin.c code from login(1) so that a user's
>> entry can be queried. It will only display something if the user
>> has had bad login. Maybe this will help.
>>
>> For example:
>>
>> % sudo ./failedlogin millert
>> Last unsuccessful login: Sat Jan 17 15:57:38 on tty00
> Thank you very much Todd!
> Initially, I will use your code to check for attempted logins on my
> home router.
Isn't the normal (and simpler) way for checking that by looking for
lines similar to
Jan 18 12:37:30 myhostname sshd[24704]: Connection closed
by invalid user admin NNN.NNN.134.105 port 42854 [preauth]
in the file /var/log/authlog ?
That seems also better because it shows all attempts (not just the
last one), doesn't get cleared on successful login, and also shows
attempts with invalid user names.
Or are you worried about bad guys physically breaking into your home
and attempting to login to the router at the physical console, as
opposed to via SSH over the network?
I think that would show up in the file /var/log/secure like this:
Jan 18 00:16:25 isnote login: 1 LOGIN FAILURE ON ttyC2, schwarze
I would not be opposed to better documenting failedlogin(5) - but given
that's it a somewhat niche feature and IIUC more powerful features
exist for the same purpose that are not more complicated, i'm not sure
how important documenting it is.
Of course, we could also add Todd's tool for reading the file to our
userland or to ports - or even better, a version that iterates on pw_uid
and lists the latest failed login attempt of all accounts that had any
failed attempt at all. But again, how important is having such a tool,
really?
Yours,
Ingo
