On Sun, Jan 18, 2026 at 02:14:03PM +0100, Ingo Schwarze wrote: > Hello Avon, > > Avon Robertson wrote on Sun, Jan 18, 2026 at 08:02:32PM +1300: > > On Sat, Jan 17, 2026 at 03:58:28PM -0700, Todd C. Miller wrote: > >> On Sun, 18 Jan 2026 11:38:06 +1300, Avon Robertson wrote: > > >>> Is there a base binary that can read file /var/log/failedlogin? > > I agree the file format is underdocumented: > > $ man -k Pa=failedlogin > login(1) - log into the computer > > While that manual page does mention the file: > > If the file /var/log/failedlogin exists, login will record failed login > attempts in this file. > [...] > Immediately after logging a user in, login displays the system copyright > notice, the date and time the user last logged in, the date and time of > the last unsuccessful login (if the file /var/log/failedlogin exists), > the message of the day as well as other information. > [...] > FILES > [...] > /var/log/failedlogin failed login account records > > That manual page fails to mention the file format, which, according to > /usr/src/usr.bin/login/failedlogin.c , > is simply a (machine-dependent?) array of struct badlogin, indexed > by pw_uid. The struct itself is local to that source file, not > documented, and machine-dependent (at least i think that the format > of the time_t and size_t fields depends on endianness, and i feel > unsure whether struct padding involve have machine-dependent effects). > > >>> If not, is there a ports package that can read it? > >>> TIA for your replies. > > >> That file is used by login(1) to report the last failed login but > >> there isn't a separate program that uses it. One thing to be aware > >> of is that it the info gets cleared after a successful login occurs. > >> > >> I hacked up the failedlogin.c code from login(1) so that a user's > >> entry can be queried. It will only display something if the user > >> has had bad login. Maybe this will help. > >> > >> For example: > >> > >> % sudo ./failedlogin millert > >> Last unsuccessful login: Sat Jan 17 15:57:38 on tty00 > > > Thank you very much Todd! > > Initially, I will use your code to check for attempted logins on my > > home router. > > Isn't the normal (and simpler) way for checking that by looking for > lines similar to > > Jan 18 12:37:30 myhostname sshd[24704]: Connection closed > by invalid user admin NNN.NNN.134.105 port 42854 [preauth] > > in the file /var/log/authlog ? > > That seems also better because it shows all attempts (not just the > last one), doesn't get cleared on successful login, and also shows > attempts with invalid user names. > > Or are you worried about bad guys physically breaking into your home > and attempting to login to the router at the physical console, as > opposed to via SSH over the network? > > I think that would show up in the file /var/log/secure like this: > > Jan 18 00:16:25 isnote login: 1 LOGIN FAILURE ON ttyC2, schwarze > > I would not be opposed to better documenting failedlogin(5) - but given > that's it a somewhat niche feature and IIUC more powerful features > exist for the same purpose that are not more complicated, i'm not sure > how important documenting it is. > > Of course, we could also add Todd's tool for reading the file to our > userland or to ports - or even better, a version that iterates on pw_uid > and lists the latest failed login attempt of all accounts that had any > failed attempt at all. But again, how important is having such a tool, > really? > > Yours, > Ingo
Thank you very much Ingo, for the relevant and interesting information you have provided. I now need to consider how to manage, _simply_and_well_, the overall security of my home router during a regular security audit. -- aer
