Re: Intrusion attempts

From: Peter Weaver (WeaverConsultingServices_at_sympatico.ca)
Date: 02/04/05

Next message: Ken Fairfield: "Re: Intrusion attempts"
Previous message: Peter Weaver: "Re: HP rx2600 rack mount conversion"
In reply to: Syltrem: "Re: Intrusion attempts"
Next in thread: Syltrem: "Re: Intrusion attempts"
Reply: Syltrem: "Re: Intrusion attempts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Fri, 4 Feb 2005 13:33:32 -0500

Syltrem wrote:
>...
> After 4 failed login attempts with 3 different usernames, and one ^Z
> (no username entered):
>
> In accounting I do not see the usernames used, and only one record
> with this message:
> %LOGIN-F-NOSUCHUSER, no such user
> There is another entry with this message (triggered by the ^Z):
> %LOGIN-F-CMDINPUT, error reading command input
>
> OTOH, the audit does not show anything for some reason
> I have the auditing enabled for loginfailures:
> System security audits currently enabled for:
> Logfailure:
> batch,dialup,local,remote,network,subprocess,detached,server
> but $ anal/aud/ev=breakin sys$manager:SECURITY.AUDIT$JOURNAL/sin
> returns nothing.
> ...

Take a look at your SYSGEN LGI parameters,

SYSGEN> SHOW /LGI

and see how many retries are permitted before the attempt is considered
a breakin. I would guess that you are not yet hitting the breakin limit
so ANA/AUD/EV=LOGFAIL is what you need rather than /EV=BREAKIN.

On the system I just tried (VAX/VMS 7.1) LGI_BRK_LIM is 5, so my 6th try
showed up in the audit record as a breakin attempt with both the
username and password showing. I do not have Auditing turned on for
local login failures, but if I did the 1st to 5th attempts should have
shown up with no password.

-- 
Peter Weaver
Weaver Consulting Services Inc.
Canadian VAR for CHARON-VAX
www.weaverconsulting.ca

Next message: Ken Fairfield: "Re: Intrusion attempts"
Previous message: Peter Weaver: "Re: HP rx2600 rack mount conversion"
In reply to: Syltrem: "Re: Intrusion attempts"
Next in thread: Syltrem: "Re: Intrusion attempts"
Reply: Syltrem: "Re: Intrusion attempts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages

Re: Intrusion attempts
... "Peter Weaver" a écrit dans le ... > showed up in the audit record as a breakin attempt with both the ... But I still don't see the attempted username until I reach breaking limit. ... http://pages.infinit.net/syltrem (OpenVMS related web site, ...
(comp.os.vms)
Re: If Statement to determine WHERE condition in SQL Query
... SELECT Forename, Username, Description ... FROM Audit ... Prev by Date: ...
(microsoft.public.sqlserver.mseq)
Re: Help with Allen Browns (wonderful!) audit trail code.
... You will need to add the fields to both the audit table, ... Then you will need to modify the Append query statements so they include ... > trail code I got from you, ... >>> audit occurred, and the network username of the person who inserted, ...
(microsoft.public.access.modulesdaovba)
Re: Help with Allen Browns (wonderful!) audit trail code.
... I'm not sure how to incorporate it into the audit ... trail code I got from you, ... > Not sure what you mean by the network full name. ... >> audit occurred, and the network username of the person who inserted, ...
(microsoft.public.access.modulesdaovba)
Re: Multiple telnet sessions
... I need a better way to obtain the username in case ... > opens more than one telnet session at the same time. ... Weaver Consulting Services Inc. ...
(comp.os.vms)