The username is displayed in the security alarm only after the user has
been determined to be an intruder (e.g.
after exceeding the number of failed logins by sysgen parameter
LGI_BRK_LIM.)
Carleen

>>> Ken.Connelly@uni.edu 4/21/2005 9:22:35 AM >>>

only if the username doesn't exist on the system...

> Security alarm (SECURITY) and security audit (SECURITY) on ICEMAN,
> system id: 10
> Auditable event: Local interactive login failure
> Event time: 21-APR-2005 10:16:55.50
> PID: 2262BE91
> Process name: _VTA63:
> Username: KENTEST
> Terminal name: VTA63:, _NTY63:, cougar.uni.edu
> Remote nodename: TELNET
> Remote username: 86A10128:076A
> Status: %LOGIN-F-INVPWD, invalid password


was recorded with a login attempt to "kentest"

- ken


Jim Mehlhop wrote:

> It would be against VMS policy to display the targeted username. Set


> host, LAT, telnet, etc do not record the targeted username
>
>
>
>
>
> SYS4$
> %%%%%%%%%%% OPCOM 21-APR-2005 08:41:04.83 %%%%%%%%%%%
> Message from user AUDIT$SERVER on SYS4
> Security alarm (SECURITY) and security audit (SECURITY) on SYS4,
> system id: 10242
> Auditable event: Local interactive login failure
> Event time: 21-APR-2005 08:41:04.83
> PID: 2B80031A
> Process name: _NTY6:
> Username:
> Terminal name: NTY6:, _NTY6:, sys6.mehlhop.org/3995
> Remote nodename: TELNET
> Remote username: C0A801CE:0F9B
> Status: %LOGIN-F-NOSUCHUSER, no such user
>
>
>
> At 06:56 AM 4/21/2005, you wrote:
>
>> Jeremy -
>>
>> Please call Tech Support and have them log an enhancement DE for
>> this. I'll
>> change the code that the suspect name is logged along with the

GETUAI
>> error.
>>
>> At 10:02 PM 4/20/2005, Jeremy Begg wrote:
>>
>>> Hi,
>>>
>>> Process Software MultiNet V4.4 Rev A-X, COMPAQ AlphaServer DS20E

666
>>> MHz,
>>> OpenVMS AXP V7.3-1
>>> (Shortly to be upgraded to V5.0 on VMS 7.3-2)
>>>
>>> We'd like to gather more information on SSH-based attacks on this
>>> system.
>>>
>>> We've found a new MULTINET_ROOT:[MULTINET.SSH]SSHD.LOG file gets
>>> created for
>>> each incoming connection and tends to contain entries like this:
>>>
>>> SSHD 0181[00026B86]: WARNING: DNS lookup failed for

"67.19.157.18".
>>> getpwnam: getuai failed: 182b2
>>> getpwnam: getuai failed: 182b2
>>>
>>> I'm assuming the 'getpwnam' errors are indicating that the supplied


>>> username
>>> does not exist in the SYSUAF (182B2 = %RMS-E-RNF). Is there some
>>> way of
>>> getting the username into this log file?
>>>
>>> What other logging have people found helpful?
>>>
>>> Thanks,
>>>
>>> Jeremy Begg
>>>
>>> +---------------------------------------------------------+
>>> | VSM Software Services Pty. Ltd. |
>>> | http://www.vsm.com.au/ |
>>> | "OpenVMS Systems Management & Programming" |
>>> |---------------------------------------------------------|
>>> | P.O.Box 402, Walkerville, | E-Mail: jeremy@vsm.com.au |
>>> | South Australia 5081 | Phone: +61 8 8221 5188 |
>>> |---------------------------| Mobile: 0414 422 947 |
>>> | A.C.N. 068 409 156 | FAX: +61 8 8221 7199 |
>>> +---------------------------------------------------------+

>>
>>
>> ------
>>

+-------------------------------+----------------------------------------+

>>
>> | Dan O'Reilly | "There are 10 types of people in


>> this |
>> | Principal Engineer | world: those who understand
>> binary |
>> | Process Software | and those who
>> don't." |
>> | http://www.process.com
>> | |
>>

+-------------------------------+----------------------------------------+

>>
>>

>
> Jim Mehlhop
>
>
> Join Cauce to outlaw spam
> http://www.cauce.org/
>


--
- Ken
================================================== ===============
Ken Connelly Systems and Operations Manager, ITS Network Services
University of Northern Iowa Cedar Falls, IA 50614-0121
email: Ken.Connelly@uni.edu
phone: (319) 273-5850 fax: (319) 273-7373

It's much more important to know what you don't know than what you do
know!