Yes but the situation with RNF would indicate it was a nonexistent username

At 09:22 AM 4/21/2005, you wrote:
>only if the username doesn't exist on the system...
>
>>Security alarm (SECURITY) and security audit (SECURITY) on ICEMAN, system
>>id: 10
>>Auditable event: Local interactive login failure
>>Event time: 21-APR-2005 10:16:55.50
>>PID: 2262BE91
>>Process name: _VTA63:
>>Username: KENTEST
>>Terminal name: VTA63:, _NTY63:, cougar.uni.edu
>>Remote nodename: TELNET
>>Remote username: 86A10128:076A
>>Status: %LOGIN-F-INVPWD, invalid password

>
>was recorded with a login attempt to "kentest"
>
>- ken
>
>
>Jim Mehlhop wrote:
>
>>It would be against VMS policy to display the targeted username. Set
>>host, LAT, telnet, etc do not record the targeted username
>>
>>
>>
>>
>>
>>SYS4$
>>%%%%%%%%%%% OPCOM 21-APR-2005 08:41:04.83 %%%%%%%%%%%
>>Message from user AUDIT$SERVER on SYS4
>>Security alarm (SECURITY) and security audit (SECURITY) on SYS4, system
>>id: 10242
>>Auditable event: Local interactive login failure
>>Event time: 21-APR-2005 08:41:04.83
>>PID: 2B80031A
>>Process name: _NTY6:
>>Username:
>>Terminal name: NTY6:, _NTY6:, sys6.mehlhop.org/3995
>>Remote nodename: TELNET
>>Remote username: C0A801CE:0F9B
>>Status: %LOGIN-F-NOSUCHUSER, no such user
>>
>>
>>
>>At 06:56 AM 4/21/2005, you wrote:
>>
>>>Jeremy -
>>>
>>>Please call Tech Support and have them log an enhancement DE for this. I'll
>>>change the code that the suspect name is logged along with the GETUAI error.
>>>
>>>At 10:02 PM 4/20/2005, Jeremy Begg wrote:
>>>
>>>>Hi,
>>>>
>>>>Process Software MultiNet V4.4 Rev A-X, COMPAQ AlphaServer DS20E 666 MHz,
>>>>OpenVMS AXP V7.3-1
>>>>(Shortly to be upgraded to V5.0 on VMS 7.3-2)
>>>>
>>>>We'd like to gather more information on SSH-based attacks on this system.
>>>>
>>>>We've found a new MULTINET_ROOT:[MULTINET.SSH]SSHD.LOG file gets
>>>>created for
>>>>each incoming connection and tends to contain entries like this:
>>>>
>>>> SSHD 0181[00026B86]: WARNING: DNS lookup failed for "67.19.157.18".
>>>> getpwnam: getuai failed: 182b2
>>>> getpwnam: getuai failed: 182b2
>>>>
>>>>I'm assuming the 'getpwnam' errors are indicating that the supplied
>>>>username
>>>>does not exist in the SYSUAF (182B2 = %RMS-E-RNF). Is there some way of
>>>>getting the username into this log file?
>>>>
>>>>What other logging have people found helpful?
>>>>
>>>>Thanks,
>>>>
>>>> Jeremy Begg
>>>>
>>>> +---------------------------------------------------------+
>>>> | VSM Software Services Pty. Ltd. |
>>>> | http://www.vsm.com.au/ |
>>>> | "OpenVMS Systems Management & Programming" |
>>>> |---------------------------------------------------------|
>>>> | P.O.Box 402, Walkerville, | E-Mail: jeremy@vsm.com.au |
>>>> | South Australia 5081 | Phone: +61 8 8221 5188 |
>>>> |---------------------------| Mobile: 0414 422 947 |
>>>> | A.C.N. 068 409 156 | FAX: +61 8 8221 7199 |
>>>> +---------------------------------------------------------+
>>>
>>>
>>>------
>>>+-------------------------------+----------------------------------------+
>>>| Dan O'Reilly | "There are 10 types of people in this |
>>>| Principal Engineer | world: those who understand binary |
>>>| Process Software | and those who don't." |
>>>| http://www.process.com
>>>| |
>>>+-------------------------------+----------------------------------------+

>>
>>Jim Mehlhop
>>
>>
>>Join Cauce to outlaw spam
>>http://www.cauce.org/

>
>--
>- Ken
>================================================== ===============
>Ken Connelly Systems and Operations Manager, ITS Network Services
>University of Northern Iowa Cedar Falls, IA 50614-0121
>email: Ken.Connelly@uni.edu
>phone: (319) 273-5850 fax: (319) 273-7373
>
>It's much more important to know what you don't know than what you do know!
>


Jim Mehlhop


Join Cauce to outlaw spam
http://www.cauce.org/