Re: Detecting SSH attacks - VMS

This is a discussion on Re: Detecting SSH attacks - VMS ; Jeremy, Not that it will help a lot but, the hexadecimal representation of the IP address and port is returned as the "Remote username" in the security alarms below. If it is an IP address on *your* network you could, ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Re: Detecting SSH attacks

  1. Re: Detecting SSH attacks

    Jeremy,

    Not that it will help a lot but, the hexadecimal representation of the IP
    address and port is returned as the "Remote username" in the security
    alarms below. If it is an IP address on *your* network you could, from a
    Windows command prompt, type:

    C:>/ nbtstat -a 'ip_address'

    This will return the PC's workstation name and the user logged in at the
    time you executed the command. Caveat here is the intruder would have to
    be at a PC, on your network and the DHCP lease had not expired.

    I use this quite often when some "know-it-all" user changes their Extra PC
    session and clicks "AutoConnect" then walks away or leaves at the end of
    their shift. It generates a security alarm for every LGI_PWD_TMO interval
    (default 30 seconds).


    It is not until you understand what you do not know that the learning
    process starts.

    Mark D. Schuster, Sr Systems Analyst -- WWIS, Server Services
    markschusterkodakcom
    Eastman Kodak Company
    3/56/KP Mail Code 2-4503
    343 State Street
    Rochester, NY 14652-4503
    Phone: (585) 477-5744, Knet: 2575744, FAX: (585) 722-0415





    Jim Mehlhop
    2005/04/21 11:37
    Please respond to Info-MultiNet


    To: info-multinet@process.com
    cc:
    Subject: Re: Detecting SSH attacks


    Yes but the situation with RNF would indicate it was a nonexistent
    username

    At 09:22 AM 4/21/2005, you wrote:
    >only if the username doesn't exist on the system...
    >
    >>Security alarm (SECURITY) and security audit (SECURITY) on ICEMAN,

    system
    >>id: 10
    >>Auditable event: Local interactive login failure
    >>Event time: 21-APR-2005 10:16:55.50
    >>PID: 2262BE91
    >>Process name: _VTA63:
    >>Username: KENTEST
    >>Terminal name: VTA63:, _NTY63:, cougar.uni.edu
    >>Remote nodename: TELNET
    >>Remote username: 86A10128:076A
    >>Status: %LOGIN-F-INVPWD, invalid password

    >
    >was recorded with a login attempt to "kentest"
    >
    >- ken
    >
    >
    >Jim Mehlhop wrote:
    >
    >>It would be against VMS policy to display the targeted username. Set
    >>host, LAT, telnet, etc do not record the targeted username
    >>
    >>
    >>
    >>
    >>
    >>SYS4$
    >>%%%%%%%%%%% OPCOM 21-APR-2005 08:41:04.83 %%%%%%%%%%%
    >>Message from user AUDIT$SERVER on SYS4
    >>Security alarm (SECURITY) and security audit (SECURITY) on SYS4, system
    >>id: 10242
    >>Auditable event: Local interactive login failure
    >>Event time: 21-APR-2005 08:41:04.83
    >>PID: 2B80031A
    >>Process name: _NTY6:
    >>Username:
    >>Terminal name: NTY6:, _NTY6:, sys6.mehlhop.org/3995
    >>Remote nodename: TELNET
    >>Remote username: C0A801CE:0F9B
    >>Status: %LOGIN-F-NOSUCHUSER, no such user
    >>
    >>
    >>
    >>At 06:56 AM 4/21/2005, you wrote:
    >>
    >>>Jeremy -
    >>>
    >>>Please call Tech Support and have them log an enhancement DE for this.

    I'll
    >>>change the code that the suspect name is logged along with the GETUAI

    error.
    >>>
    >>>At 10:02 PM 4/20/2005, Jeremy Begg wrote:
    >>>
    >>>>Hi,
    >>>>
    >>>>Process Software MultiNet V4.4 Rev A-X, COMPAQ AlphaServer DS20E 666

    MHz,
    >>>>OpenVMS AXP V7.3-1
    >>>>(Shortly to be upgraded to V5.0 on VMS 7.3-2)
    >>>>
    >>>>We'd like to gather more information on SSH-based attacks on this

    system.
    >>>>
    >>>>We've found a new MULTINET_ROOT:[MULTINET.SSH]SSHD.LOG file gets
    >>>>created for
    >>>>each incoming connection and tends to contain entries like this:
    >>>>
    >>>> SSHD 0181[00026B86]: WARNING: DNS lookup failed for

    "67.19.157.18".
    >>>> getpwnam: getuai failed: 182b2
    >>>> getpwnam: getuai failed: 182b2
    >>>>
    >>>>I'm assuming the 'getpwnam' errors are indicating that the supplied
    >>>>username
    >>>>does not exist in the SYSUAF (182B2 = %RMS-E-RNF). Is there some way

    of
    >>>>getting the username into this log file?
    >>>>
    >>>>What other logging have people found helpful?
    >>>>
    >>>>Thanks,
    >>>>
    >>>> Jeremy Begg
    >>>>
    >>>> +---------------------------------------------------------+
    >>>> | VSM Software Services Pty. Ltd. |
    >>>> | http://www.vsm.com.au/ |
    >>>> | "OpenVMS Systems Management & Programming" |
    >>>> |---------------------------------------------------------|
    >>>> | P.O.Box 402, Walkerville, | E-Mail: jeremy@vsm.com.au |
    >>>> | South Australia 5081 | Phone: +61 8 8221 5188 |
    >>>> |---------------------------| Mobile: 0414 422 947 |
    >>>> | A.C.N. 068 409 156 | FAX: +61 8 8221 7199 |
    >>>> +---------------------------------------------------------+
    >>>
    >>>
    >>>------
    >>>+-------------------------------+----------------------------------------+
    >>>| Dan O'Reilly | "There are 10 types of people in

    this |
    >>>| Principal Engineer | world: those who understand binary

    |
    >>>| Process Software | and those who don't." |
    >>>| http://www.process.com
    >>>| |
    >>>+-------------------------------+----------------------------------------+

    >>
    >>Jim Mehlhop
    >>
    >>
    >>Join Cauce to outlaw spam
    >>http://www.cauce.org/

    >
    >--
    >- Ken
    >================================================== ===============
    >Ken Connelly Systems and Operations Manager, ITS Network Services
    >University of Northern Iowa Cedar Falls, IA 50614-0121
    >email: Ken.Connelly@uni.edu
    >phone: (319) 273-5850 fax: (319) 273-7373
    >
    >It's much more important to know what you don't know than what you do

    know!
    >


    Jim Mehlhop


    Join Cauce to outlaw spam
    http://www.cauce.org/






  2. Re: Detecting SSH attacks

    In article ,
    mark.schuster@kodak.com writes:
    >
    > Not that it will help a lot but, the hexadecimal representation of the IP
    > address and port is returned as the "Remote username" in the security
    > alarms below. If it is an IP address on *your* network you could, from a
    > Windows command prompt, type:
    >
    > C:>/ nbtstat -a 'ip_address'
    >
    > This will return the PC's workstation name and the user logged in at the
    > time you executed the command. Caveat here is the intruder would have to
    > be at a PC, on your network and the DHCP lease had not expired.


    Just for grins I tried it on two different machines. One running XP
    and one running 2000 Server. Result was the same:
    'nbstat' is not recognized as an internal or external command,
    operable program or batch file.

    Are you sure you don't need the optional Resource Kit in order to
    have this command?

    bill


    --
    Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
    bill@cs.scranton.edu | and a sheep voting on what's for dinner.
    University of Scranton |
    Scranton, Pennsylvania | #include

+ Reply to Thread