only if the username doesn't exist on the system...

> Security alarm (SECURITY) and security audit (SECURITY) on ICEMAN,
> system id: 10
> Auditable event: Local interactive login failure
> Event time: 21-APR-2005 10:16:55.50
> PID: 2262BE91
> Process name: _VTA63:
> Username: KENTEST
> Terminal name: VTA63:, _NTY63:, cougar.uni.edu
> Remote nodename: TELNET
> Remote username: 86A10128:076A
> Status: %LOGIN-F-INVPWD, invalid password


was recorded with a login attempt to "kentest"

- ken


Jim Mehlhop wrote:

> It would be against VMS policy to display the targeted username. Set
> host, LAT, telnet, etc do not record the targeted username
>
>
>
>
>
> SYS4$
> %%%%%%%%%%% OPCOM 21-APR-2005 08:41:04.83 %%%%%%%%%%%
> Message from user AUDIT$SERVER on SYS4
> Security alarm (SECURITY) and security audit (SECURITY) on SYS4,
> system id: 10242
> Auditable event: Local interactive login failure
> Event time: 21-APR-2005 08:41:04.83
> PID: 2B80031A
> Process name: _NTY6:
> Username:
> Terminal name: NTY6:, _NTY6:, sys6.mehlhop.org/3995
> Remote nodename: TELNET
> Remote username: C0A801CE:0F9B
> Status: %LOGIN-F-NOSUCHUSER, no such user
>
>
>
> At 06:56 AM 4/21/2005, you wrote:
>
>> Jeremy -
>>
>> Please call Tech Support and have them log an enhancement DE for
>> this. I'll
>> change the code that the suspect name is logged along with the GETUAI
>> error.
>>
>> At 10:02 PM 4/20/2005, Jeremy Begg wrote:
>>
>>> Hi,
>>>
>>> Process Software MultiNet V4.4 Rev A-X, COMPAQ AlphaServer DS20E 666
>>> MHz,
>>> OpenVMS AXP V7.3-1
>>> (Shortly to be upgraded to V5.0 on VMS 7.3-2)
>>>
>>> We'd like to gather more information on SSH-based attacks on this
>>> system.
>>>
>>> We've found a new MULTINET_ROOT:[MULTINET.SSH]SSHD.LOG file gets
>>> created for
>>> each incoming connection and tends to contain entries like this:
>>>
>>> SSHD 0181[00026B86]: WARNING: DNS lookup failed for "67.19.157.18".
>>> getpwnam: getuai failed: 182b2
>>> getpwnam: getuai failed: 182b2
>>>
>>> I'm assuming the 'getpwnam' errors are indicating that the supplied
>>> username
>>> does not exist in the SYSUAF (182B2 = %RMS-E-RNF). Is there some
>>> way of
>>> getting the username into this log file?
>>>
>>> What other logging have people found helpful?
>>>
>>> Thanks,
>>>
>>> Jeremy Begg
>>>
>>> +---------------------------------------------------------+
>>> | VSM Software Services Pty. Ltd. |
>>> | http://www.vsm.com.au/ |
>>> | "OpenVMS Systems Management & Programming" |
>>> |---------------------------------------------------------|
>>> | P.O.Box 402, Walkerville, | E-Mail: jeremy@vsm.com.au |
>>> | South Australia 5081 | Phone: +61 8 8221 5188 |
>>> |---------------------------| Mobile: 0414 422 947 |
>>> | A.C.N. 068 409 156 | FAX: +61 8 8221 7199 |
>>> +---------------------------------------------------------+

>>
>>
>> ------
>> +-------------------------------+----------------------------------------+
>>
>> | Dan O'Reilly | "There are 10 types of people in
>> this |
>> | Principal Engineer | world: those who understand
>> binary |
>> | Process Software | and those who
>> don't." |
>> | http://www.process.com
>> | |
>> +-------------------------------+----------------------------------------+
>>
>>

>
> Jim Mehlhop
>
>
> Join Cauce to outlaw spam
> http://www.cauce.org/
>


--
- Ken
================================================== ===============
Ken Connelly Systems and Operations Manager, ITS Network Services
University of Northern Iowa Cedar Falls, IA 50614-0121
email: Ken.Connelly@uni.edu
phone: (319) 273-5850 fax: (319) 273-7373

It's much more important to know what you don't know than what you do know!