Hi Dan,

>Please call Tech Support and have them log an enhancement DE for this. I'll
>change the code that the suspect name is logged along with the GETUAI error.

Will do. The reason we want this is to set up some sort of automated
mechanism to detect attacks when they occur. (I must confess though we
haven't really worked out what we'll do with the information.)

The discussion which followed re VMS policy toward recording usernames for
login failures and breakin detection was interesting so I did some tests of
my own.

Username: JEREMY
Password: xxxxxx (i.e. not my real password)

resulted in an immediate OPCOM security alarm showing the attempted
username. Similar results for LAT and TELNET. Note that this was on the
first attempted login, so it's not (yet) a breakin, although SHOW INTR does
show an entry for each login attempt (i.e. one for each protocol).

In any case I wasn't asking for the username to be "displayed" (Jim's words)
just recorded in a file (SSHD.LOG, which is not world readable).


Jeremy Begg

>At 10:02 PM 4/20/2005, Jeremy Begg wrote:
>>Process Software MultiNet V4.4 Rev A-X, COMPAQ AlphaServer DS20E 666 MHz,
>>OpenVMS AXP V7.3-1
>>(Shortly to be upgraded to V5.0 on VMS 7.3-2)
>>We'd like to gather more information on SSH-based attacks on this system.
>>We've found a new MULTINET_ROOT:[MULTINET.SSH]SSHD.LOG file gets created for
>>each incoming connection and tends to contain entries like this:
>> SSHD 0181[00026B86]: WARNING: DNS lookup failed for "".
>> getpwnam: getuai failed: 182b2
>> getpwnam: getuai failed: 182b2
>>I'm assuming the 'getpwnam' errors are indicating that the supplied username
>>does not exist in the SYSUAF (182B2 = %RMS-E-RNF). Is there some way of
>>getting the username into this log file?
>>What other logging have people found helpful?
>> Jeremy Begg
