It would be against VMS policy to display the targeted username. Set host,
LAT, telnet, etc do not record the targeted username





SYS4$
%%%%%%%%%%% OPCOM 21-APR-2005 08:41:04.83 %%%%%%%%%%%
Message from user AUDIT$SERVER on SYS4
Security alarm (SECURITY) and security audit (SECURITY) on SYS4, system id:
10242
Auditable event: Local interactive login failure
Event time: 21-APR-2005 08:41:04.83
PID: 2B80031A
Process name: _NTY6:
Username:
Terminal name: NTY6:, _NTY6:, sys6.mehlhop.org/3995
Remote nodename: TELNET
Remote username: C0A801CE:0F9B
Status: %LOGIN-F-NOSUCHUSER, no such user



At 06:56 AM 4/21/2005, you wrote:
>Jeremy -
>
>Please call Tech Support and have them log an enhancement DE for this. I'll
>change the code that the suspect name is logged along with the GETUAI error.
>
>At 10:02 PM 4/20/2005, Jeremy Begg wrote:
>>Hi,
>>
>>Process Software MultiNet V4.4 Rev A-X, COMPAQ AlphaServer DS20E 666 MHz,
>>OpenVMS AXP V7.3-1
>>(Shortly to be upgraded to V5.0 on VMS 7.3-2)
>>
>>We'd like to gather more information on SSH-based attacks on this system.
>>
>>We've found a new MULTINET_ROOT:[MULTINET.SSH]SSHD.LOG file gets created for
>>each incoming connection and tends to contain entries like this:
>>
>> SSHD 0181[00026B86]: WARNING: DNS lookup failed for "67.19.157.18".
>> getpwnam: getuai failed: 182b2
>> getpwnam: getuai failed: 182b2
>>
>>I'm assuming the 'getpwnam' errors are indicating that the supplied username
>>does not exist in the SYSUAF (182B2 = %RMS-E-RNF). Is there some way of
>>getting the username into this log file?
>>
>>What other logging have people found helpful?
>>
>>Thanks,
>>
>> Jeremy Begg
>>
>> +---------------------------------------------------------+
>> | VSM Software Services Pty. Ltd. |
>> | http://www.vsm.com.au/ |
>> | "OpenVMS Systems Management & Programming" |
>> |---------------------------------------------------------|
>> | P.O.Box 402, Walkerville, | E-Mail: jeremy@vsm.com.au |
>> | South Australia 5081 | Phone: +61 8 8221 5188 |
>> |---------------------------| Mobile: 0414 422 947 |
>> | A.C.N. 068 409 156 | FAX: +61 8 8221 7199 |
>> +---------------------------------------------------------+

>
>------
>+-------------------------------+----------------------------------------+
>| Dan O'Reilly | "There are 10 types of people in this |
>| Principal Engineer | world: those who understand binary |
>| Process Software | and those who don't." |
>| http://www.process.com | |
>+-------------------------------+----------------------------------------+
>


Jim Mehlhop


Join Cauce to outlaw spam
http://www.cauce.org/