At 05:48 PM 4/21/2005, Jeremy Begg wrote:
>Hi Dan,
>
>>Please call Tech Support and have them log an enhancement DE for this. I'll
>>change the code that the suspect name is logged along with the GETUAI error.

>
>Will do. The reason we want this is to set up some sort of automated
>mechanism to detect attacks when they occur. (I must confess though we
>haven't really worked out what we'll do with the information.)
>
>The discussion which followed re VMS policy toward recording usernames for
>login failures and breakin detection was interesting so I did some tests of
>my own.
>
> $ SET HOST 0
> Username: JEREMY
> Password: xxxxxx (i.e. not my real password)
>
>resulted in an immediate OPCOM security alarm showing the attempted
>username. Similar results for LAT and TELNET. Note that this was on the
>first attempted login, so it's not (yet) a breakin, although SHOW INTR does
>show an entry for each login attempt (i.e. one for each protocol).


BUT that was for a valid username. What you were seeing before with the
RNF error was for an INVALID username. If you do that with any of the
above it does NOT record the invalid username.

Jim



>In any case I wasn't asking for the username to be "displayed" (Jim's words)
>just recorded in a file (SSHD.LOG, which is not world readable).
>
>Regards,
>
> Jeremy Begg
>
>
>>At 10:02 PM 4/20/2005, Jeremy Begg wrote:
>>>Hi,
>>>
>>>Process Software MultiNet V4.4 Rev A-X, COMPAQ AlphaServer DS20E 666 MHz,
>>>OpenVMS AXP V7.3-1
>>>(Shortly to be upgraded to V5.0 on VMS 7.3-2)
>>>
>>>We'd like to gather more information on SSH-based attacks on this system.
>>>
>>>We've found a new MULTINET_ROOT:[MULTINET.SSH]SSHD.LOG file gets created for
>>>each incoming connection and tends to contain entries like this:
>>>
>>> SSHD 0181[00026B86]: WARNING: DNS lookup failed for "67.19.157.18".
>>> getpwnam: getuai failed: 182b2
>>> getpwnam: getuai failed: 182b2
>>>
>>>I'm assuming the 'getpwnam' errors are indicating that the supplied username
>>>does not exist in the SYSUAF (182B2 = %RMS-E-RNF). Is there some way of
>>>getting the username into this log file?
>>>
>>>What other logging have people found helpful?
>>>
>>>Thanks,
>>>
>>> Jeremy Begg
>>>
>>> +---------------------------------------------------------+
>>> | VSM Software Services Pty. Ltd. |
>>> | http://www.vsm.com.au/ |
>>> | "OpenVMS Systems Management & Programming" |
>>> |---------------------------------------------------------|
>>> | P.O.Box 402, Walkerville, | E-Mail: jeremy@vsm.com.au |
>>> | South Australia 5081 | Phone: +61 8 8221 5188 |
>>> |---------------------------| Mobile: 0414 422 947 |
>>> | A.C.N. 068 409 156 | FAX: +61 8 8221 7199 |
>>> +---------------------------------------------------------+

>
>>------
>>+-------------------------------+----------------------------------------+
>>| Dan O'Reilly | "There are 10 types of people in this |
>>| Principal Engineer | world: those who understand binary |
>>| Process Software | and those who don't." |
>>| http://www.process.com | |
>>+-------------------------------+----------------------------------------+

>
>Jim Mehlhop
>
>
>Join Cauce to outlaw spam
>http://www.cauce.org/