Not true according to my testing


There was no attempt to login to system at this time
SYS4$ sho intr
Intrusion Type Count Expiration Source
--------- ---- ----- ---------- ------
NETWORK SUSPECT 1 21-APR-2005
09:43:49.73 TELNET::C0A801CE:0FB4
NETWORK SUSPECT 1 21-APR-2005
09:44:26.34 TELNET::C0A801CE:0FB5


Then I tried system and DID get an alarm with the username recorded.

SYS4$
%%%%%%%%%%% OPCOM 21-APR-2005 09:40:14.26 %%%%%%%%%%%
Message from user AUDIT$SERVER on SYS4
Security alarm (SECURITY) and security audit (SECURITY) on SYS4, system id:
10242
Auditable event: Local interactive login failure
Event time: 21-APR-2005 09:40:14.26
PID: 2B800325
Process name: _NTY9:
Username: SYSTEM
Terminal name: NTY9:, _NTY9:, sys6.mehlhop.org/4022
Remote nodename: TELNET
Remote username: C0A801CE:0FB6
Status: %LOGIN-F-INVPWD, invalid password


At 09:29 AM 4/21/2005, you wrote:
>The username is displayed in the security alarm only after the user has
>been determined to be an intruder (e.g.
>after exceeding the number of failed logins by sysgen parameter
>LGI_BRK_LIM.)
>Carleen
>
> >>> Ken.Connelly@uni.edu 4/21/2005 9:22:35 AM >>>

>only if the username doesn't exist on the system...
>
> > Security alarm (SECURITY) and security audit (SECURITY) on ICEMAN,
> > system id: 10
> > Auditable event: Local interactive login failure
> > Event time: 21-APR-2005 10:16:55.50
> > PID: 2262BE91
> > Process name: _VTA63:
> > Username: KENTEST
> > Terminal name: VTA63:, _NTY63:, cougar.uni.edu
> > Remote nodename: TELNET
> > Remote username: 86A10128:076A
> > Status: %LOGIN-F-INVPWD, invalid password

>
>was recorded with a login attempt to "kentest"
>
>- ken
>
>
>Jim Mehlhop wrote:
>
> > It would be against VMS policy to display the targeted username. Set

>
> > host, LAT, telnet, etc do not record the targeted username
> >
> >
> >
> >
> >
> > SYS4$
> > %%%%%%%%%%% OPCOM 21-APR-2005 08:41:04.83 %%%%%%%%%%%
> > Message from user AUDIT$SERVER on SYS4
> > Security alarm (SECURITY) and security audit (SECURITY) on SYS4,
> > system id: 10242
> > Auditable event: Local interactive login failure
> > Event time: 21-APR-2005 08:41:04.83
> > PID: 2B80031A
> > Process name: _NTY6:
> > Username:
> > Terminal name: NTY6:, _NTY6:, sys6.mehlhop.org/3995
> > Remote nodename: TELNET
> > Remote username: C0A801CE:0F9B
> > Status: %LOGIN-F-NOSUCHUSER, no such user
> >
> >
> >
> > At 06:56 AM 4/21/2005, you wrote:
> >
> >> Jeremy -
> >>
> >> Please call Tech Support and have them log an enhancement DE for
> >> this. I'll
> >> change the code that the suspect name is logged along with the

>GETUAI
> >> error.
> >>
> >> At 10:02 PM 4/20/2005, Jeremy Begg wrote:
> >>
> >>> Hi,
> >>>
> >>> Process Software MultiNet V4.4 Rev A-X, COMPAQ AlphaServer DS20E

>666
> >>> MHz,
> >>> OpenVMS AXP V7.3-1
> >>> (Shortly to be upgraded to V5.0 on VMS 7.3-2)
> >>>
> >>> We'd like to gather more information on SSH-based attacks on this
> >>> system.
> >>>
> >>> We've found a new MULTINET_ROOT:[MULTINET.SSH]SSHD.LOG file gets
> >>> created for
> >>> each incoming connection and tends to contain entries like this:
> >>>
> >>> SSHD 0181[00026B86]: WARNING: DNS lookup failed for

>"67.19.157.18".
> >>> getpwnam: getuai failed: 182b2
> >>> getpwnam: getuai failed: 182b2
> >>>
> >>> I'm assuming the 'getpwnam' errors are indicating that the supplied

>
> >>> username
> >>> does not exist in the SYSUAF (182B2 = %RMS-E-RNF). Is there some
> >>> way of
> >>> getting the username into this log file?
> >>>
> >>> What other logging have people found helpful?
> >>>
> >>> Thanks,
> >>>
> >>> Jeremy Begg
> >>>
> >>> +---------------------------------------------------------+
> >>> | VSM Software Services Pty. Ltd. |
> >>> | http://www.vsm.com.au/ |
> >>> | "OpenVMS Systems Management & Programming" |
> >>> |---------------------------------------------------------|
> >>> | P.O.Box 402, Walkerville, | E-Mail: jeremy@vsm.com.au |
> >>> | South Australia 5081 | Phone: +61 8 8221 5188 |
> >>> |---------------------------| Mobile: 0414 422 947 |
> >>> | A.C.N. 068 409 156 | FAX: +61 8 8221 7199 |
> >>> +---------------------------------------------------------+
> >>
> >>
> >> ------
> >>

>+-------------------------------+----------------------------------------+
>
> >>
> >> | Dan O'Reilly | "There are 10 types of people in

>
> >> this |
> >> | Principal Engineer | world: those who understand
> >> binary |
> >> | Process Software | and those who
> >> don't." |
> >> | http://www.process.com
> >> | |
> >>

>+-------------------------------+----------------------------------------+
>
> >>
> >>

> >
> > Jim Mehlhop
> >
> >
> > Join Cauce to outlaw spam
> > http://www.cauce.org/
> >

>
>--
>- Ken
>================================================== ===============
>Ken Connelly Systems and Operations Manager, ITS Network Services
>University of Northern Iowa Cedar Falls, IA 50614-0121
>email: Ken.Connelly@uni.edu
>phone: (319) 273-5850 fax: (319) 273-7373
>
>It's much more important to know what you don't know than what you do
>know!


Jim Mehlhop


Join Cauce to outlaw spam
http://www.cauce.org/