POP attacks and NOSLOT errors - VMS

This is a discussion on POP attacks and NOSLOT errors - VMS ; TCPIP> show ver HP TCP/IP Services for OpenVMS Alpha Version V5.6 on an AlphaServer 800 5/500 running OpenVMS V8.3 Three times in the past few years I have been attacked by someone trying to find a valid username/password on my ...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 31

Thread: POP attacks and NOSLOT errors

  1. POP attacks and NOSLOT errors

    TCPIP> show ver

    HP TCP/IP Services for OpenVMS Alpha Version V5.6
    on an AlphaServer 800 5/500 running OpenVMS V8.3

    Three times in the past few years I have been attacked by someone trying to
    find a valid username/password on my system using POP, two of those times
    have been when I was out of town installing CHARON-VAX for a customer. I can
    not find any clues at all about who was doing the attack, TCP/IP does not
    log the attacking address at all, all I can see is;

    %%%%%%%%%%% OPCOM 23-NOV-2007 04:13:14.02 %%%%%%%%%%% (from node
    AXP800 a
    Message from user TCPIP$POP on AXP800
    POP server authentication error: User account "abigail" is invalid.

    %%%%%%%%%%% OPCOM 23-NOV-2007 04:13:14.13 %%%%%%%%%%% (from node
    AXP800 a
    Message from user TCPIP$POP on AXP800
    POP server authentication error: User account "adam" is invalid.

    %%%%%%%%%%% OPCOM 23-NOV-2007 04:13:14.24 %%%%%%%%%%% (from node
    AXP800 a
    Message from user TCPIP$POP on AXP800
    POP server authentication error: User account "alan" is invalid.

    After 13,996 of these messages I started getting NOSLOT errors, at that
    point the system becomes unstable; some email messages get through, some do
    not, some web requests are served, some are not... When I am not home the
    only option is to have my wife hit the power button to reboot the system.

    Does anyone;
    1. Know of any way I can find out which IP address was attacking me?
    2. Know of a way (excluding "Turn off POP") to stop these POP attacks
    from breaking my system?

    Peter Weaver
    www.weaverconsulting.ca
    CHARON-VAX CHARON-AXP DataStream Reflection PreciseMail HP Commercial
    Hardware


  2. Re: POP attacks and NOSLOT errors

    Peter Weaver wrote:
    > TCPIP> show ver
    >
    > HP TCP/IP Services for OpenVMS Alpha Version V5.6
    > on an AlphaServer 800 5/500 running OpenVMS V8.3
    >
    > Three times in the past few years I have been attacked by someone trying
    > to find a valid username/password on my system using POP, two of those
    > times have been when I was out of town installing CHARON-VAX for a
    > customer. I can not find any clues at all about who was doing the
    > attack, TCP/IP does not log the attacking address at all, all I can see is;

    [...]
    > After 13,996 of these messages I started getting NOSLOT errors, at that
    > point the system becomes unstable; some email messages get through, some
    > do not, some web requests are served, some are not... When I am not home
    > the only option is to have my wife hit the power button to reboot the
    > system.
    >
    > Does anyone;
    > 1. Know of any way I can find out which IP address was attacking me?


    Does $ANA/AUDIT/EVENT=BREAKIN tell you anything?

    > 2. Know of a way (excluding "Turn off POP") to stop these POP attacks
    > from breaking my system?


    I use TCPware as my IP stack. When I'm on my laptop, and I "see"
    someone trying to break in using FTP, (Login:Administrato :-)) I can use
    the command $NETCU SHOW CONNECTIONS to see the IP address of the
    offender; I can then use $NETCU KILL CONNECTION/REMOTE=.* to
    close the connection.

    I realize this is of little help to you, but I'm wondering if there is
    (and would be surprised if there isn't) a similar facility in
    TCPIP$SERVICES - it would at least help you if you happen to catch the
    intruder in the act.

    BTW - I've never run into a NOSLOT condition, even after coming home
    from work to notice that one of the script kiddies had been banging away
    (without success) at FTP for hours. Can you change stacks? :-)
    [...]

  3. Re: POP attacks and NOSLOT errors

    Peter Weaver wrote:
    > Does anyone;
    > 1. Know of any way I can find out which IP address was attacking me?


    No. I reported this some time ago. There is also no breakin evasion
    triggered.


    > 2. Know of a way (excluding "Turn off POP") to stop these POP attacks
    > from breaking my system?


    No. But you can reduce the impact by setting a service limit
    ( SET SERVICE POP /LIMIT=2 for instance). So if the hacker make multiple
    simultaneous connection attempts, only the first 2 get through and this
    limits the damage to your system and also slows down their dictionary
    attacks.

  4. Re: POP attacks and NOSLOT errors

    Peter Weaver wrote:

    > TCPIP> show ver
    >
    > HP TCP/IP Services for OpenVMS Alpha Version V5.6
    > on an AlphaServer 800 5/500 running OpenVMS V8.3
    >
    > Three times in the past few years I have been attacked by someone trying
    > to find a valid username/password on my system using POP, two of those
    > times have been when I was out of town installing CHARON-VAX for a
    > customer. I can not find any clues at all about who was doing the
    > attack, TCP/IP does not log the attacking address at all, all I can see is;
    >
    > %%%%%%%%%%% OPCOM 23-NOV-2007 04:13:14.02 %%%%%%%%%%% (from node
    > AXP800 a
    > Message from user TCPIP$POP on AXP800
    > POP server authentication error: User account "abigail" is invalid.


    Hi.
    I had a similar phenomen on my system :

    $ tcpip sh ver

    HP TCP/IP Services for OpenVMS Alpha Version V5.5 - ECO 2
    on an AlphaStation XP900 466 MHz running OpenVMS V8.2

    $

    > 1. Know of any way I can find out which IP address was attacking me?


    operator.log doesn say much at all, but ana/audit gives
    entries like :

    Security alarm (SECURITY) and security audit (SECURITY) on xxxxx,
    system id: 10
    Auditable event: Network breakin detection
    Event time: 25-NOV-2007 11:42:16.64
    PID: 000000CA
    Process name: TCPIP$FTPC00002
    Username: admin
    Password:
    Remote nodename: 70-97-122-179.st
    Remote node id: 1180793523
    Remote username: FTP_46617AB3
    Posix UID: -2
    Posix GID: -2 (%XFFFFFFFE)
    Status: %LOGIN-F-NOSUCHUSER, no such user


    So try that.

    Jan-Erik.


  5. Re: POP attacks and NOSLOT errors

    Peter Weaver wrote:
    > TCPIP> show ver
    >
    > HP TCP/IP Services for OpenVMS Alpha Version V5.6
    > on an AlphaServer 800 5/500 running OpenVMS V8.3
    >
    > Three times in the past few years I have been attacked by someone trying
    > to find a valid username/password on my system using POP, two of those
    > times have been when I was out of town installing CHARON-VAX for a
    > customer. I can not find any clues at all about who was doing the
    > attack, TCP/IP does not log the attacking address at all, all I can see is;
    >
    > %%%%%%%%%%% OPCOM 23-NOV-2007 04:13:14.02 %%%%%%%%%%% (from node
    > AXP800 a
    > Message from user TCPIP$POP on AXP800
    > POP server authentication error: User account "abigail" is invalid.
    >
    > %%%%%%%%%%% OPCOM 23-NOV-2007 04:13:14.13 %%%%%%%%%%% (from node
    > AXP800 a
    > Message from user TCPIP$POP on AXP800
    > POP server authentication error: User account "adam" is invalid.
    >
    > %%%%%%%%%%% OPCOM 23-NOV-2007 04:13:14.24 %%%%%%%%%%% (from node
    > AXP800 a
    > Message from user TCPIP$POP on AXP800
    > POP server authentication error: User account "alan" is invalid.
    >
    > After 13,996 of these messages I started getting NOSLOT errors, at that
    > point the system becomes unstable; some email messages get through, some
    > do not, some web requests are served, some are not... When I am not home
    > the only option is to have my wife hit the power button to reboot the
    > system.
    >
    > Does anyone;
    > 1. Know of any way I can find out which IP address was attacking me?
    > 2. Know of a way (excluding "Turn off POP") to stop these POP attacks
    > from breaking my system?
    >
    > Peter Weaver
    > www.weaverconsulting.ca
    > CHARON-VAX CHARON-AXP DataStream Reflection PreciseMail HP Commercial
    > Hardware
    >


    Do you have some reason for not running a firewall of some sort? My
    feebleminded Linksys BEFR81 automagically blocks all incoming traffic
    that is not a response to outgoing traffic. The router logs make
    interesting reading. There is a continuous stream of probes of ports
    1026 and 1027 coming from all over the world. My systems never see
    them! I could open a port if I wished to do so but in the five years or
    so that I have had broadband cable, I have felt no need to do so.

    If you wish to allow random incomming traffic, you may need something a
    little fancier.


  6. Re: POP attacks and NOSLOT errors

    In article <23e001c82f09$5cb5d250$2802a8c0@CHARONLAP>, "Peter Weaver" writes:
    >
    >
    >TCPIP> show ver
    >
    > HP TCP/IP Services for OpenVMS Alpha Version V5.6
    > on an AlphaServer 800 5/500 running OpenVMS V8.3
    >
    >Three times in the past few years I have been attacked by someone trying to
    >find a valid username/password on my system using POP, two of those times
    >have been when I was out of town installing CHARON-VAX for a customer. I can
    >not find any clues at all about who was doing the attack, TCP/IP does not
    >log the attacking address at all, all I can see is;
    >
    >%%%%%%%%%%% OPCOM 23-NOV-2007 04:13:14.02 %%%%%%%%%%% (from node
    >AXP800 a
    >Message from user TCPIP$POP on AXP800
    >POP server authentication error: User account "abigail" is invalid.
    >
    >%%%%%%%%%%% OPCOM 23-NOV-2007 04:13:14.13 %%%%%%%%%%% (from node
    >AXP800 a
    >Message from user TCPIP$POP on AXP800
    >POP server authentication error: User account "adam" is invalid.
    >
    >%%%%%%%%%%% OPCOM 23-NOV-2007 04:13:14.24 %%%%%%%%%%% (from node
    >AXP800 a
    >Message from user TCPIP$POP on AXP800
    >POP server authentication error: User account "alan" is invalid.
    >
    >After 13,996 of these messages I started getting NOSLOT errors, at that
    >point the system becomes unstable; some email messages get through, some do
    >not, some web requests are served, some are not... When I am not home the
    >only option is to have my wife hit the power button to reboot the system.
    >
    >Does anyone;
    > 1. Know of any way I can find out which IP address was attacking me?
    > 2. Know of a way (excluding "Turn off POP") to stop these POP attacks
    >from breaking my system?


    TCPIP Services?

    Look at using the SET SERVICE POP /ACCEPT and or /REJECT qualifiers.

    I limit POP access only to inside networks and LOCALHOST (more later).

    If, during an attack, you could issue:

    $ PIPE TCPIP SHOW DEVICE | SEARCH SYS$PIPE 110

    You might see the IP of the attacker. (110 is the POP port number)



    When on the road, I use ssh. I tunnel port 110 with -L 110:localhost:110.
    (as well as -L 25:localhost:25) Then, I have an on-the-road configuration
    which has localhost 25/110 define for the servers. I can gain access to
    mail securely and the outside is still cut off from exploiting my POP and
    SMTP servers.


    --
    VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM

    "Well my son, life is like a beanstalk, isn't it?"

    http://tmesis.com/drat.html

  7. Re: POP attacks and NOSLOT errors

    In article , JF Mezei writes:
    >
    >
    >Peter Weaver wrote:
    >> Does anyone;
    >> 1. Know of any way I can find out which IP address was attacking me?

    >
    >No. I reported this some time ago. There is also no breakin evasion
    >triggered.
    >
    >
    >> 2. Know of a way (excluding "Turn off POP") to stop these POP attacks
    >> from breaking my system?

    >
    >No. But you can reduce the impact by setting a service limit
    >( SET SERVICE POP /LIMIT=2 for instance). So if the hacker make multiple
    >simultaneous connection attempts, only the first 2 get through and this
    >limits the damage to your system and also slows down their dictionary
    >attacks.



    I've limited ssh in this fashion (but I have a larger value than 2). It
    does seem to thwart the port scanners and script kiddies. Things such as
    POP and the like are NOT secure. I would limit access to these to inside
    networks and trusted hosts/IPs only.


    --
    VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM

    "Well my son, life is like a beanstalk, isn't it?"

    http://tmesis.com/drat.html

  8. Re: POP attacks and NOSLOT errors

    In article <47497495.4020206@comcast.net>, "Richard B. Gilbert" writes:
    >
    >
    >Peter Weaver wrote:
    >> TCPIP> show ver
    >>
    >> HP TCP/IP Services for OpenVMS Alpha Version V5.6
    >> on an AlphaServer 800 5/500 running OpenVMS V8.3
    >>
    >> Three times in the past few years I have been attacked by someone trying
    >> to find a valid username/password on my system using POP, two of those
    >> times have been when I was out of town installing CHARON-VAX for a
    >> customer. I can not find any clues at all about who was doing the
    >> attack, TCP/IP does not log the attacking address at all, all I can see is;
    >>
    >> %%%%%%%%%%% OPCOM 23-NOV-2007 04:13:14.02 %%%%%%%%%%% (from node
    >> AXP800 a
    >> Message from user TCPIP$POP on AXP800
    >> POP server authentication error: User account "abigail" is invalid.
    >>
    >> %%%%%%%%%%% OPCOM 23-NOV-2007 04:13:14.13 %%%%%%%%%%% (from node
    >> AXP800 a
    >> Message from user TCPIP$POP on AXP800
    >> POP server authentication error: User account "adam" is invalid.
    >>
    >> %%%%%%%%%%% OPCOM 23-NOV-2007 04:13:14.24 %%%%%%%%%%% (from node
    >> AXP800 a
    >> Message from user TCPIP$POP on AXP800
    >> POP server authentication error: User account "alan" is invalid.
    >>
    >> After 13,996 of these messages I started getting NOSLOT errors, at that
    >> point the system becomes unstable; some email messages get through, some
    >> do not, some web requests are served, some are not... When I am not home
    >> the only option is to have my wife hit the power button to reboot the
    >> system.
    >>
    >> Does anyone;
    >> 1. Know of any way I can find out which IP address was attacking me?
    >> 2. Know of a way (excluding "Turn off POP") to stop these POP attacks
    >> from breaking my system?
    >>
    >> Peter Weaver
    >> www.weaverconsulting.ca
    >> CHARON-VAX CHARON-AXP DataStream Reflection PreciseMail HP Commercial
    >> Hardware
    >>

    >
    >Do you have some reason for not running a firewall of some sort? My
    >feebleminded Linksys BEFR81 automagically blocks all incoming traffic
    >that is not a response to outgoing traffic. The router logs make
    >interesting reading. There is a continuous stream of probes of ports
    >1026 and 1027 coming from all over the world. My systems never see
    >them! I could open a port if I wished to do so but in the five years or
    >so that I have had broadband cable, I have felt no need to do so.


    Save that the POP server wouldn't initiate a contact to a remote client.


    >If you wish to allow random incomming traffic, you may need something a
    >little fancier.


    Like a real router or a firewall? I've not had any issues that I could
    not deal with with my router or one of VMS's or TCPIP Service's mechan-
    isms. However, one of these days I *will* get to configuring my Juniper
    firewall.

    --
    VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM

    "Well my son, life is like a beanstalk, isn't it?"

    http://tmesis.com/drat.html

  9. Re: POP attacks and NOSLOT errors

    "Jan-Erik Söderholm" wrote in message
    news:PMd2j.795$R_4.387@newsb.telia.net...
    > Peter Weaver wrote:
    >
    >> TCPIP> show ver
    >>
    >> HP TCP/IP Services for OpenVMS Alpha Version V5.6
    >> on an AlphaServer 800 5/500 running OpenVMS V8.3
    >>
    >> Three times in the past few years I have been attacked by someone trying
    >> to find a valid username/password on my system using POP, two of those
    >> times have been when I was out of town installing CHARON-VAX for a
    >> customer. I can not find any clues at all about who was doing the attack,
    >> TCP/IP does not log the attacking address at all, all I can see is;
    >>
    >> %%%%%%%%%%% OPCOM 23-NOV-2007 04:13:14.02 %%%%%%%%%%% (from node
    >> AXP800 a
    >> Message from user TCPIP$POP on AXP800
    >> POP server authentication error: User account "abigail" is invalid.

    >
    > Hi.
    > I had a similar phenomen on my system :
    >
    > $ tcpip sh ver
    >
    > HP TCP/IP Services for OpenVMS Alpha Version V5.5 - ECO 2
    > on an AlphaStation XP900 466 MHz running OpenVMS V8.2
    >
    > $
    >
    > > 1. Know of any way I can find out which IP address was attacking me?

    >
    > operator.log doesn say much at all, but ana/audit gives
    > entries like :
    >
    > Security alarm (SECURITY) and security audit (SECURITY) on xxxxx, system
    > id: 10
    > Auditable event: Network breakin detection
    > Event time: 25-NOV-2007 11:42:16.64
    > PID: 000000CA
    > Process name: TCPIP$FTPC00002
    > Username: admin
    > Password:
    > Remote nodename: 70-97-122-179.st
    > Remote node id: 1180793523
    > Remote username: FTP_46617AB3
    > Posix UID: -2
    > Posix GID: -2 (%XFFFFFFFE)
    > Status: %LOGIN-F-NOSUCHUSER, no such user
    >
    >
    > So try that.
    >
    > Jan-Erik.
    >


    The Romote node id is a decimal IP address. Here's the conversion from
    http://www.kloth.net/services/iplocate.php.

    The conversion result:
    IP dotted quad IP decimal IP hex IP Binary
    70.97.122.179 1180793523 46617AB3 01000110 01100001 01111010 10110011

    Reverse DNS lookup on host 70.97.122.179:
    179.122.97.70.in-addr.arpa domain name pointer 70-97-122-179.stephouse.com.

    Hope this helps.

    Mike.



  10. Re: POP attacks and NOSLOT errors

    VAXman- @SendSpamHere.ORG wrote:
    > When on the road, I use ssh. I tunnel port 110 with -L 110:localhost:110.
    > (as well as -L 25:localhost:25) Then, I have an on-the-road configuration



    Pardon my ignorance, but in what way does SSH prevent hackers ? I can
    understand SSH encrypting stuff to prevent spies from looking at your
    communications, but does it really prevent someone from attempting to
    use POP to test username/passwords ?

    Do you have a setup where your SSH is configured to only accept
    connection from hosts having certain keys ? ( I ask because I have never
    really configured/looked into SSH seriously, I just used it to connect
    to my mac).


    Also, even if you use ssh, when it pipes the data over to port 110
    locally, you are still going to have the TCPIP Services POP
    vulnerability which I had reported quite some time ago. (no intrusion
    detection nor logging of IP address).




    > which has localhost 25/110 define for the servers. I can gain access to
    > mail securely and the outside is still cut off from exploiting my POP and
    > SMTP servers.


    Some people need "real" POP and IMAP access from the rest of the world.
    For instance, unless my mobile handset supports tunneling of POP/IMAP
    over ssh, I still need to be able to access my host from my handset to
    check my mail.

  11. Re: POP attacks and NOSLOT errors

    In article <44117$4749ef0f$cef8887a$28352@TEKSAVVY.COM>, JF Mezei writes:
    >
    >
    >VAXman- @SendSpamHere.ORG wrote:
    >> When on the road, I use ssh. I tunnel port 110 with -L 110:localhost:110.
    >> (as well as -L 25:localhost:25) Then, I have an on-the-road configuration

    >
    >
    >Pardon my ignorance, but in what way does SSH prevent hackers ? I can
    >understand SSH encrypting stuff to prevent spies from looking at your
    >communications, but does it really prevent someone from attempting to
    >use POP to test username/passwords ?


    If POP is not accessible from the outside and only via an ssh tunnel,
    then, yes, it does prevent someone from attempting to use POP to test
    username/passwords.



    >Do you have a setup where your SSH is configured to only accept
    >connection from hosts having certain keys ? ( I ask because I have never
    >really configured/looked into SSH seriously, I just used it to connect
    >to my mac).


    Yes. The key is on my Powerbook (and a few other machines) and with-
    out it, nobody can connect.



    >Also, even if you use ssh, when it pipes the data over to port 110
    >locally, you are still going to have the TCPIP Services POP
    >vulnerability which I had reported quite some time ago. (no intrusion
    >detection nor logging of IP address).


    Only inside networks and localhost can access the POP server.



    >> which has localhost 25/110 define for the servers. I can gain access to
    >> mail securely and the outside is still cut off from exploiting my POP and
    >> SMTP servers.

    >
    >Some people need "real" POP and IMAP access from the rest of the world.
    >For instance, unless my mobile handset supports tunneling of POP/IMAP
    >over ssh, I still need to be able to access my host from my handset to
    >check my mail.


    If you are willing to trade convenience for security, then so be it.
    I prefer to keep my systems and data secure. I also do not use any
    mobile handset -- I'm assuming this is a cell phone? Mine rings and
    I answer it and I know how to dial a number to place a call. Beyond
    that I have no interest whatsoever in figuring out how to use all of
    its other silly features of it. I hate the phone but realize it is
    a somewhat necessary evil in today's society. However, When I drive,
    I have it turned off. There is nothing more *****ing* annoying than
    getting a phone call when driving. How the hell did we get outselves
    to this point in our evolution? There is nothing, AFAIAC, that is so
    important that one needs to risk an automobile accident to answer one
    of these asinine Star Trek communicators.

    --
    VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM

    "Well my son, life is like a beanstalk, isn't it?"

    http://tmesis.com/drat.html

  12. Re: POP attacks and NOSLOT errors

    VAXman- wrote:
    > In article <44117$4749ef0f$cef8887a$28352@TEKSAVVY.COM>, JF Mezei writes:
    >
    >>
    >>VAXman- @SendSpamHere.ORG wrote:
    >>
    >>>When on the road, I use ssh. I tunnel port 110 with -L 110:localhost:110.
    >>>(as well as -L 25:localhost:25) Then, I have an on-the-road configuration

    >>
    >>
    >>Pardon my ignorance, but in what way does SSH prevent hackers ? I can
    >>understand SSH encrypting stuff to prevent spies from looking at your
    >>communications, but does it really prevent someone from attempting to
    >>use POP to test username/passwords ?

    >
    >
    > If POP is not accessible from the outside and only via an ssh tunnel,
    > then, yes, it does prevent someone from attempting to use POP to test
    > username/passwords.
    >
    >
    >
    >
    >>Do you have a setup where your SSH is configured to only accept
    >>connection from hosts having certain keys ? ( I ask because I have never
    >>really configured/looked into SSH seriously, I just used it to connect
    >>to my mac).

    >
    >
    > Yes. The key is on my Powerbook (and a few other machines) and with-
    > out it, nobody can connect.
    >
    >
    >
    >
    >>Also, even if you use ssh, when it pipes the data over to port 110
    >>locally, you are still going to have the TCPIP Services POP
    >>vulnerability which I had reported quite some time ago. (no intrusion
    >>detection nor logging of IP address).

    >
    >
    > Only inside networks and localhost can access the POP server.
    >
    >
    >
    >
    >>>which has localhost 25/110 define for the servers. I can gain access to
    >>>mail securely and the outside is still cut off from exploiting my POP and
    >>>SMTP servers.

    >>
    >>Some people need "real" POP and IMAP access from the rest of the world.
    >>For instance, unless my mobile handset supports tunneling of POP/IMAP
    >>over ssh, I still need to be able to access my host from my handset to
    >>check my mail.

    >
    >
    > If you are willing to trade convenience for security, then so be it.
    > I prefer to keep my systems and data secure. I also do not use any
    > mobile handset -- I'm assuming this is a cell phone? Mine rings and
    > I answer it and I know how to dial a number to place a call. Beyond
    > that I have no interest whatsoever in figuring out how to use all of
    > its other silly features of it. I hate the phone but realize it is
    > a somewhat necessary evil in today's society. However, When I drive,
    > I have it turned off. There is nothing more *****ing* annoying than
    > getting a phone call when driving. How the hell did we get outselves
    > to this point in our evolution? There is nothing, AFAIAC, that is so
    > important that one needs to risk an automobile accident to answer one
    > of these asinine Star Trek communicators.
    >


    It helps reduce the numbers of the slow/stupid! Consider it evolution
    in action!


  13. Re: POP attacks and NOSLOT errors

    VAXman- @SendSpamHere.ORG wrote:
    >> If POP is not accessible from the outside and only via an ssh tunnel,

    > then, yes, it does prevent someone from attempting to use POP to test
    > username/passwords.



    People used to brag about VMS being secure. The whole point of having
    robust software, intrusion detection/evasion and good logging is so that
    you can have services opened to the world and sleep at night.

    However, the POP server, as furnished by the current owner of VMS does
    not adhere to those high standards. And while I am at it, the SMTP
    server/receiver doesn't even support username/password authentication
    for calls coming from the outside.

    If you have to shield your VMS system from outside access, then VMS is
    no better than Windows for security.

  14. Re: POP attacks and NOSLOT errors

    In article <4749FB80.8020702@comcast.net>, "Richard B. Gilbert" writes:
    >{...snip...}
    >> I have it turned off. There is nothing more *****ing* annoying than
    >> getting a phone call when driving. How the hell did we get outselves
    >> to this point in our evolution? There is nothing, AFAIAC, that is so
    >> important that one needs to risk an automobile accident to answer one
    >> of these asinine Star Trek communicators.
    >>

    >
    >It helps reduce the numbers of the slow/stupid! Consider it evolution
    >in action!


    Nominees for the Darwin Award! Got it!

    --
    VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM

    "Well my son, life is like a beanstalk, isn't it?"

    http://tmesis.com/drat.html

  15. Re: POP attacks and NOSLOT errors

    In article , JF Mezei writes:
    >
    >
    >VAXman- @SendSpamHere.ORG wrote:
    >>> If POP is not accessible from the outside and only via an ssh tunnel,

    >> then, yes, it does prevent someone from attempting to use POP to test
    >> username/passwords.

    >
    >
    >People used to brag about VMS being secure. The whole point of having
    >robust software, intrusion detection/evasion and good logging is so that
    >you can have services opened to the world and sleep at night.
    >
    >However, the POP server, as furnished by the current owner of VMS does
    >not adhere to those high standards. And while I am at it, the SMTP
    >server/receiver doesn't even support username/password authentication
    >for calls coming from the outside.


    The problem is that these *network* *protocols* were not devised by the
    same security conscientious people who brought you VMS! I'd wager that
    we'd not know SPAM, other than that ham, pork and potato starch product
    from Denmark, if the VMS folks devised SMTP -- where the S in SMTP stood
    for Secure instead of Simple.



    >If you have to shield your VMS system from outside access, then VMS is
    >no better than Windows for security.


    I'm not shielding it. I've configured it so that I permit those whom I
    want to access my machines and deny those whom I do not. I don't see a
    problem with VMS security there. I don't want people to access any of
    my machines via the SYSTEM account either. If I did, I wouldn't bother
    to establish passwords on their SYSTEM accounts.


    --
    VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM

    "Well my son, life is like a beanstalk, isn't it?"

    http://tmesis.com/drat.html

  16. Re: POP attacks and NOSLOT errors

    >...
    > Do you have some reason for not running a firewall of some sort? My


    Of course I have a firewall, I only have the ports I need opened.

    Peter Weaver
    www.weaverconsulting.ca
    CHARON-VAX CHARON-AXP DataStream Reflection PreciseMail HP Commercial
    Hardware


  17. Re: POP attacks and NOSLOT errors

    >...
    > No. I reported this some time ago. There is also no breakin evasion
    > triggered.


    Yes, I remember seeing your posting the first time this happened to me, it
    would have be really nice if someone from HP would have seen it too.

    >...
    > No. But you can reduce the impact by setting a service limit
    > ( SET SERVICE POP /LIMIT=2 for instance). So if the hacker make multiple
    > simultaneous connection attempts, only the first 2 get through and this
    > limits the damage to your system and also slows down their dictionary
    > attacks.


    Thanks, I'll try that.

    Peter Weaver
    www.weaverconsulting.ca
    CHARON-VAX CHARON-AXP DataStream Reflection PreciseMail HP Commercial
    Hardware


  18. Re: POP attacks and NOSLOT errors

    >...
    > Does $ANA/AUDIT/EVENT=BREAKIN tell you anything?


    Not for POP, it does for FTP and SSH but POP does not trigger anything
    other than OPCOM messages.

    >...
    > (without success) at FTP for hours. Can you change stacks? :-)


    I would rather run TCPWare myself, but this is not a hobbyist machine.


    Peter Weaver
    www.weaverconsulting.ca
    CHARON-VAX CHARON-AXP DataStream Reflection PreciseMail HP Commercial
    Hardware


  19. Re: POP attacks and NOSLOT errors

    >...
    > When on the road, I use ssh. I tunnel port 110 with -L 110:localhost:110.
    > (as well as -L 25:localhost:25) Then, I have an on-the-road configuration
    > which has localhost 25/110 define for the servers. I can gain access to
    >...


    I'll have to see if I can do that with my phone. The phone has Pocket Putty
    on it but I do not know if it allows me to tunnel like the fully Putty does.
    Right now I pick up mail on the phone using POP, but if I need to send mail
    I use Pocket Putty to log into my machine using SSH and I update the mail
    configuration file to allow relaying from the IP address currently assigned
    to my phone. The relay automatically gets removed the next time I log in.

    Peter Weaver
    www.weaverconsulting.ca
    CHARON-VAX CHARON-AXP DataStream Reflection PreciseMail HP Commercial
    Hardware


  20. Re: POP attacks and NOSLOT errors

    >...
    > I've limited ssh in this fashion (but I have a larger value than 2). It
    > does seem to thwart the port scanners and script kiddies. Things such as
    > POP and the like are NOT secure. I would limit access to these to inside
    > networks and trusted hosts/IPs only.


    I limit my use of POP but there are times when it is my only option so I
    take the risk of using it. Some sites I visit do not let people use their
    laptops in their office so I use my phone to get emails.

    Peter Weaver
    www.weaverconsulting.ca
    CHARON-VAX CHARON-AXP DataStream Reflection PreciseMail HP Commercial
    Hardware


+ Reply to Thread
Page 1 of 2 1 2 LastLast