POP attacks and NOSLOT errors - VMS

This is a discussion on POP attacks and NOSLOT errors - VMS ; >... > operator.log doesn say much at all, but ana/audit gives > entries like : FTP does a good job of sending information to the Audit Journal, but POP does not. Peter Weaver www.weaverconsulting.ca CHARON-VAX CHARON-AXP DataStream Reflection PreciseMail HP ...

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2
Results 21 to 31 of 31

Thread: POP attacks and NOSLOT errors

  1. Re: POP attacks and NOSLOT errors

    >...
    > operator.log doesn say much at all, but ana/audit gives
    > entries like :


    FTP does a good job of sending information to the Audit Journal, but POP
    does not.

    Peter Weaver
    www.weaverconsulting.ca
    CHARON-VAX CHARON-AXP DataStream Reflection PreciseMail HP Commercial
    Hardware


  2. Re: POP attacks and NOSLOT errors

    Peter Weaver wrote:
    >> ...
    >> operator.log doesn say much at all, but ana/audit gives
    >> entries like :

    >
    > FTP does a good job of sending information to the Audit Journal, but POP
    > does not.
    >
    > Peter Weaver
    > www.weaverconsulting.ca
    > CHARON-VAX CHARON-AXP DataStream Reflection PreciseMail HP Commercial
    > Hardware


    OK, right.
    That's a major problem of course.
    And I seems to remeber JF's report on that
    issue earlier also...

    Jan-Erik.

  3. Re: POP attacks and NOSLOT errors

    On Sun, 25 Nov 2007 19:15:04 -0800, Peter Weaver
    wrote:

    >> ...
    >> No. I reported this some time ago. There is also no breakin evasion
    >> triggered.

    >
    > Yes, I remember seeing your posting the first time this happened to me,
    > it would have be really nice if someone from HP would have seen it too..
    >
    >> ...
    >> No. But you can reduce the impact by setting a service limit
    >> ( SET SERVICE POP /LIMIT=2 for instance). So if the hacker make
    >> multiple simultaneous connection attempts, only the first 2 get through
    >> and this limits the damage to your system and also slows down their
    >> dictionary attacks.


    Won't this also effect legitimate users?

    >
    > Thanks, I'll try that.
    >
    > Peter Weaver
    > www.weaverconsulting.ca
    > CHARON-VAX CHARON-AXP DataStream Reflection PreciseMail HP Commercial
    > Hardware




    --
    PL/I for OpenVMS
    www.kednos.com

  4. Re: POP attacks and NOSLOT errors

    In article <44117$4749ef0f$cef8887a$28352@TEKSAVVY.COM>, JF Mezei writes:
    >
    > Do you have a setup where your SSH is configured to only accept
    > connection from hosts having certain keys ? ( I ask because I have never
    > really configured/looked into SSH seriously, I just used it to connect
    > to my mac).
    >


    You can set up a lot of services so that they are only available as
    SSH tunnels. Which means you have to be able to log in to the VMS
    system before you can attack them.

    No vanilla POP port, no direct POP attack.

    That doesn't prevent anyone from attacking via SSH itself, and on at
    least some stacks you need to limit the number of connections that
    can be attacked that way. Now all the end user has to do is break
    into a properly configured VMS system! I think they'd rather be
    sniffing crack.


  5. Re: POP attacks and NOSLOT errors

    On Nov 25, 9:14 pm, "Peter Weaver"
    wrote:
    > >...
    > > Do you have some reason for not running a firewall of some sort? My

    >
    > Of course I have a firewall, I only have the ports I need opened.
    >
    > Peter Weaverwww.weaverconsulting.ca
    > CHARON-VAX CHARON-AXP DataStream Reflection PreciseMail HP Commercial
    > Hardware


    Peter
    is the only allowed access to POP via your cellphone, or from
    readily identifiable sources? If so, then does your firewall allow
    restricting the IP ranges that are allowed to initiate inbound POP (or
    other port) connections?

    We have two customers, one with crackberry phones, the other
    something else. In both cases the phone companies provided the range
    of IP addresses that their servers (which would perform the POP3
    connections routed for the phones) existed at. We have about 256 and
    1024 addresses listed as allowed on the firewalls at those sites; any
    other address attempting to come in over port 110 is simply dropped.

    Its certainly not absolute but it sure cuts down on the offnet
    scripters and crackers, and keeps the logfiles much smaller.

    Rich

  6. Re: POP attacks and NOSLOT errors

    VAXman- @SendSpamHere.ORG writes:

    >In article , JF Mezei writes:
    >>
    >>People used to brag about VMS being secure. The whole point of having
    >>robust software, intrusion detection/evasion and good logging is so that
    >>you can have services opened to the world and sleep at night.
    >>
    >>However, the POP server, as furnished by the current owner of VMS does
    >>not adhere to those high standards. And while I am at it, the SMTP
    >>server/receiver doesn't even support username/password authentication
    >>for calls coming from the outside.


    >The problem is that these *network* *protocols* were not devised by the
    >same security conscientious people who brought you VMS! I'd wager that
    >we'd not know SPAM, other than that ham, pork and potato starch product
    >from Denmark, if the VMS folks devised SMTP -- where the S in SMTP stood
    >for Secure instead of Simple.


    The real issue is, given a (weak) protocol like POP or FTP, how does VMS
    and the network stack deal with a breakin attempt like a dictionary
    attack? We all know what would happen if a computerized dictionary attack
    was launched against a hardwired port on a VMS system. Unless a valid
    username/password was guessed in the first couple of times, breakin
    evasion goes into effect and the attacker won't get in even if he does
    eventually manage to guess a valid user/password pair. But the POP
    breakin doesn't trigger breakin evasion. If the attacker guesses a valid
    user/password on the 10,000th attempt, he's in.

    This has nothing to do with the weakness of POP or other TCPIP protocols.
    The same would be true if there was no breakin evasion for DECnet SET HOST.

  7. Re: POP attacks and NOSLOT errors

    > is the only allowed access to POP via your cellphone, or from
    > readily identifiable sources? If so, then does your firewall allow
    > restricting the IP ranges that are allowed to initiate inbound POP (or
    > other port) connections?


    Right, the only reason I have POP open is for my cell phone, but I have no
    idea what the range of possible IP addresses is. I do not know if I get an
    IP address from my provider if I am out of my area, if POP would have logged
    the IP address I could have checked to see what address I had last week .

    In any event my firewall does not allow me to restrict IP address at that
    level, I could restrict it at the POP service level though (SET SERVICE
    POP/ACCEPT=(HOST=ip)). But if it was possible I would rather allow the
    attack to continue as long as I could control the number of processes
    created so I do not get the NOSLOT errors and as long as I could track the
    IP address so I could let the ISP know that they have a hacked machine on
    their network.


    Peter Weaver
    www.weaverconsulting.ca
    CHARON-VAX CHARON-AXP DataStream Reflection PreciseMail HP Commercial
    Hardware


  8. Re: POP attacks and NOSLOT errors

    >...
    > The real issue is, given a (weak) protocol like POP or FTP, how does VMS
    > and the network stack deal with a breakin attempt like a dictionary
    > attack? We all know what would happen if a computerized dictionary attack
    > was launched against a hardwired port on a VMS system. Unless a valid
    > username/password was guessed in the first couple of times, breakin
    > evasion goes into effect and the attacker won't get in even if he does
    > eventually manage to guess a valid user/password pair. But the POP
    > breakin doesn't trigger breakin evasion. If the attacker guesses a valid
    > user/password on the 10,000th attempt, he's in.
    >
    > This has nothing to do with the weakness of POP or other TCPIP protocols.
    > The same would be true if there was no breakin evasion for DECnet SET
    > HOST.


    Exactly right. Luckily in my case after 13,966 attempts the idiot never even
    hit a single valid username, considering my minimum passwords are set to 10
    (my main account has a 21 character password right now and that
    username/password is only used if I am using SSH to access the system) they
    would have to try for a long time before they got anywhere. But the attack
    did cause a DOS.


  9. Re: POP attacks and NOSLOT errors

    In article , moroney@world.std.spaamtrap.com (Michael Moroney) writes:
    >
    >
    >VAXman- @SendSpamHere.ORG writes:
    >
    >>In article , JF Mezei writes:
    >>>
    >>>People used to brag about VMS being secure. The whole point of having
    >>>robust software, intrusion detection/evasion and good logging is so that
    >>>you can have services opened to the world and sleep at night.
    >>>
    >>>However, the POP server, as furnished by the current owner of VMS does
    >>>not adhere to those high standards. And while I am at it, the SMTP
    >>>server/receiver doesn't even support username/password authentication
    >>>for calls coming from the outside.

    >
    >>The problem is that these *network* *protocols* were not devised by the
    >>same security conscientious people who brought you VMS! I'd wager that
    >>we'd not know SPAM, other than that ham, pork and potato starch product
    >>from Denmark, if the VMS folks devised SMTP -- where the S in SMTP stood
    >>for Secure instead of Simple.

    >
    >The real issue is, given a (weak) protocol like POP or FTP, how does VMS
    >and the network stack deal with a breakin attempt like a dictionary
    >attack? We all know what would happen if a computerized dictionary attack
    >was launched against a hardwired port on a VMS system. Unless a valid
    >username/password was guessed in the first couple of times, breakin
    >evasion goes into effect and the attacker won't get in even if he does
    >eventually manage to guess a valid user/password pair. But the POP
    >breakin doesn't trigger breakin evasion. If the attacker guesses a valid
    >user/password on the 10,000th attempt, he's in.
    >
    >This has nothing to do with the weakness of POP or other TCPIP protocols.
    >The same would be true if there was no breakin evasion for DECnet SET HOST.



    I understand and it is WHY I DO NOT PERMIT the general miscreant rabble
    on the internet to access these services.


    --
    VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM

    "Well my son, life is like a beanstalk, isn't it?"

    http://tmesis.com/drat.html

  10. Re: POP attacks and NOSLOT errors

    In article <474B78E9.9000108@comcast.net>,
    "Richard B. Gilbert" writes:
    > Peter Weaver wrote:
    >>> ...
    >>> The real issue is, given a (weak) protocol like POP or FTP, how does VMS
    >>> and the network stack deal with a breakin attempt like a dictionary
    >>> attack? We all know what would happen if a computerized dictionary attack
    >>> was launched against a hardwired port on a VMS system. Unless a valid
    >>> username/password was guessed in the first couple of times, breakin
    >>> evasion goes into effect and the attacker won't get in even if he does
    >>> eventually manage to guess a valid user/password pair. But the POP
    >>> breakin doesn't trigger breakin evasion. If the attacker guesses a valid
    >>> user/password on the 10,000th attempt, he's in.
    >>>
    >>> This has nothing to do with the weakness of POP or other TCPIP protocols.
    >>> The same would be true if there was no breakin evasion for DECnet SET
    >>> HOST.

    >>
    >>
    >> Exactly right. Luckily in my case after 13,966 attempts the idiot never
    >> even hit a single valid username, considering my minimum passwords are
    >> set to 10 (my main account has a 21 character password right now and
    >> that username/password is only used if I am using SSH to access the
    >> system) they would have to try for a long time before they got anywhere.
    >> But the attack did cause a DOS.

    >
    > Have you considered a counterattack? If you could hack into the
    > attacker's system and, say, format his disk. . . . :-) Actually, the
    > attacker may be using a zombied PC as a proxy.


    Ever watch football on TV? Who usually gets the penelty, the guy who
    takes the first shot or the guy who retaliates?

    bill

    --
    Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
    bill@cs.scranton.edu | and a sheep voting on what's for dinner.
    University of Scranton |
    Scranton, Pennsylvania | #include

  11. Re: POP attacks and NOSLOT errors

    "Peter Weaver" wrote in
    news:005c01c82fda$d74b2020$4d02a8c0@CHARONLAP:

    >>...
    >> When on the road, I use ssh. I tunnel port 110 with -L
    >> 110:localhost:110. (as well as -L 25:localhost:25) Then, I have an
    >> on-the-road configuration which has localhost 25/110 define for the
    >> servers. I can gain access to
    >>...

    >
    > I'll have to see if I can do that with my phone. The phone has Pocket
    > Putty on it but I do not know if it allows me to tunnel like the fully
    > Putty does. Right now I pick up mail on the phone using POP, but if I
    > need to send mail I use Pocket Putty to log into my machine using SSH
    > and I update the mail configuration file to allow relaying from the IP
    > address currently assigned to my phone. The relay automatically gets
    > removed the next time I log in.
    >
    > Peter Weaver
    > www.weaverconsulting.ca
    > CHARON-VAX CHARON-AXP DataStream Reflection PreciseMail HP Commercial
    > Hardware
    >
    >


    If your firewall support logging via syslog, you could turn that on,
    forwarding the output to your VMS box. (I'm not sure if TCPIP Services
    supports this, but MultiNet does.) You could also use some other platform
    to capture the syslog information, since there are no-cost products for
    WhineBloze machines. I might even suggest only enabling the logging when
    you'll be unable to immediately respond to an attack. The syslog
    information should fill in the missing pieces to correlate with the
    operator log.

    Tad Winters

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2