No, that is not correct. This was a simple login failure. SH INTR
would have revealed "suspect" as the type and "1" as the count.

Carleen Nutter wrote:

>The username is displayed in the security alarm only after the user has
>been determined to be an intruder (e.g.
>after exceeding the number of failed logins by sysgen parameter
>LGI_BRK_LIM.)
>Carleen
>
>
>
>>>>Ken.Connelly@uni.edu 4/21/2005 9:22:35 AM >>>
>>>>
>>>>

>only if the username doesn't exist on the system...
>
>
>
>>Security alarm (SECURITY) and security audit (SECURITY) on ICEMAN,
>>system id: 10
>>Auditable event: Local interactive login failure
>>Event time: 21-APR-2005 10:16:55.50
>>PID: 2262BE91
>>Process name: _VTA63:
>>Username: KENTEST
>>Terminal name: VTA63:, _NTY63:, cougar.uni.edu
>>Remote nodename: TELNET
>>Remote username: 86A10128:076A
>>Status: %LOGIN-F-INVPWD, invalid password
>>
>>

>
>was recorded with a login attempt to "kentest"
>
>- ken
>
>
>Jim Mehlhop wrote:
>
>
>
>>It would be against VMS policy to display the targeted username. Set
>>
>>

>
>
>
>>host, LAT, telnet, etc do not record the targeted username
>>
>>
>>
>>
>>
>>SYS4$
>>%%%%%%%%%%% OPCOM 21-APR-2005 08:41:04.83 %%%%%%%%%%%
>>Message from user AUDIT$SERVER on SYS4
>>Security alarm (SECURITY) and security audit (SECURITY) on SYS4,
>>system id: 10242
>>Auditable event: Local interactive login failure
>>Event time: 21-APR-2005 08:41:04.83
>>PID: 2B80031A
>>Process name: _NTY6:
>>Username:
>>Terminal name: NTY6:, _NTY6:, sys6.mehlhop.org/3995
>>Remote nodename: TELNET
>>Remote username: C0A801CE:0F9B
>>Status: %LOGIN-F-NOSUCHUSER, no such user
>>
>>
>>
>>At 06:56 AM 4/21/2005, you wrote:
>>
>>
>>
>>>Jeremy -
>>>
>>>Please call Tech Support and have them log an enhancement DE for
>>>this. I'll
>>>change the code that the suspect name is logged along with the
>>>
>>>

>GETUAI
>
>
>>>error.
>>>
>>>At 10:02 PM 4/20/2005, Jeremy Begg wrote:
>>>
>>>
>>>
>>>>Hi,
>>>>
>>>>Process Software MultiNet V4.4 Rev A-X, COMPAQ AlphaServer DS20E
>>>>
>>>>

>666
>
>
>>>>MHz,
>>>>OpenVMS AXP V7.3-1
>>>>(Shortly to be upgraded to V5.0 on VMS 7.3-2)
>>>>
>>>>We'd like to gather more information on SSH-based attacks on this
>>>>system.
>>>>
>>>>We've found a new MULTINET_ROOT:[MULTINET.SSH]SSHD.LOG file gets
>>>>created for
>>>>each incoming connection and tends to contain entries like this:
>>>>
>>>> SSHD 0181[00026B86]: WARNING: DNS lookup failed for
>>>>
>>>>

>"67.19.157.18".
>
>
>>>> getpwnam: getuai failed: 182b2
>>>> getpwnam: getuai failed: 182b2
>>>>
>>>>I'm assuming the 'getpwnam' errors are indicating that the supplied
>>>>
>>>>

>
>
>
>>>>username
>>>>does not exist in the SYSUAF (182B2 = %RMS-E-RNF). Is there some
>>>>way of
>>>>getting the username into this log file?
>>>>
>>>>What other logging have people found helpful?
>>>>
>>>>Thanks,
>>>>
>>>> Jeremy Begg
>>>>
>>>> +---------------------------------------------------------+
>>>> | VSM Software Services Pty. Ltd. |
>>>> | http://www.vsm.com.au/ |
>>>> | "OpenVMS Systems Management & Programming" |
>>>> |---------------------------------------------------------|
>>>> | P.O.Box 402, Walkerville, | E-Mail: jeremy@vsm.com.au |
>>>> | South Australia 5081 | Phone: +61 8 8221 5188 |
>>>> |---------------------------| Mobile: 0414 422 947 |
>>>> | A.C.N. 068 409 156 | FAX: +61 8 8221 7199 |
>>>> +---------------------------------------------------------+
>>>>
>>>>
>>>------
>>>
>>>
>>>

>+-------------------------------+----------------------------------------+
>
>
>
>>>| Dan O'Reilly | "There are 10 types of people in
>>>
>>>

>
>
>
>>>this |
>>>| Principal Engineer | world: those who understand
>>>binary |
>>>| Process Software | and those who
>>>don't." |
>>>| http://www.process.com
>>>| |
>>>
>>>
>>>

>+-------------------------------+----------------------------------------+
>
>
>
>>>
>>>

>>Jim Mehlhop
>>
>>
>>Join Cauce to outlaw spam
>>http://www.cauce.org/
>>
>>
>>

>
>
>


--
- Ken
================================================== ===============
Ken Connelly Systems and Operations Manager, ITS Network Services
University of Northern Iowa Cedar Falls, IA 50614-0121
email: Ken.Connelly@uni.edu
phone: (319) 273-5850 fax: (319) 273-7373

It's much more important to know what you don't know than what you do know!