One other consideration for LAT (LTA) , Telnet (NTY, TNA) and Virtual
Terminals (VTA) is to set the Sysgen parameter LGI_BRK_TERM to 0. With
the default setting (1) the Suspect record includes the terminal device
name (which is always changing) as well as the username and may not become
an Intruder because the Suspect records never match. Setting LGI_BRK_TERM
to zero (0) tells the system to associate the intrusions by Username only.
The LGI parameters are Dynamic so you can test your changes before making
them permanent.

It is not until you understand what you do not know that the learning
process starts.

Mark D. Schuster, Sr Systems Analyst -- WWIS, Server Services
Eastman Kodak Company
3/56/KP Mail Code 2-4503
343 State Street
Rochester, NY 14652-4503
Phone: (585) 477-5744, Knet: 2575744, FAX: (585) 722-0415

Jeremy Begg
2005/04/21 19:48
Please respond to Info-MultiNet

To: "Dan O'Reilly"
Subject: Re: Detecting SSH attacks

Hi Dan,

>Please call Tech Support and have them log an enhancement DE for this.

>change the code that the suspect name is logged along with the GETUAI


Will do. The reason we want this is to set up some sort of automated
mechanism to detect attacks when they occur. (I must confess though we
haven't really worked out what we'll do with the information.)

The discussion which followed re VMS policy toward recording usernames for
login failures and breakin detection was interesting so I did some tests
my own.

Username: JEREMY
Password: xxxxxx (i.e. not my real password)

resulted in an immediate OPCOM security alarm showing the attempted
username. Similar results for LAT and TELNET. Note that this was on the
first attempted login, so it's not (yet) a breakin, although SHOW INTR
show an entry for each login attempt (i.e. one for each protocol).

In any case I wasn't asking for the username to be "displayed" (Jim's
just recorded in a file (SSHD.LOG, which is not world readable).


Jeremy Begg

>At 10:02 PM 4/20/2005, Jeremy Begg wrote:
>>Process Software MultiNet V4.4 Rev A-X, COMPAQ AlphaServer DS20E 666

>>OpenVMS AXP V7.3-1
>>(Shortly to be upgraded to V5.0 on VMS 7.3-2)
>>We'd like to gather more information on SSH-based attacks on this

>>We've found a new MULTINET_ROOT:[MULTINET.SSH]SSHD.LOG file gets created

>>each incoming connection and tends to contain entries like this:
>> SSHD 0181[00026B86]: WARNING: DNS lookup failed for "".
>> getpwnam: getuai failed: 182b2
>> getpwnam: getuai failed: 182b2
>>I'm assuming the 'getpwnam' errors are indicating that the supplied

>>does not exist in the SYSUAF (182B2 = %RMS-E-RNF). Is there some way of
>>getting the username into this log file?
>>What other logging have people found helpful?
>> Jeremy Begg
>> +---------------------------------------------------------+
>> | VSM Software Services Pty. Ltd. |
>> | |
>> | "OpenVMS Systems Management & Programming" |
>> |---------------------------------------------------------|
>> | P.O.Box 402, Walkerville, | E-Mail: |
>> | South Australia 5081 | Phone: +61 8 8221 5188 |
>> |---------------------------| Mobile: 0414 422 947 |
>> | A.C.N. 068 409 156 | FAX: +61 8 8221 7199 |
>> +---------------------------------------------------------+

>| Dan O'Reilly | "There are 10 types of people in this

>| Principal Engineer | world: those who understand binary |
>| Process Software | and those who don't." |
>| | |