Steven M. Schweda wrote:
> From: Jeff Campbell
>
>> VMS 7.3-1 Alpha TCPIP 5.3 ECO 4.
>>
>> ANAL/AUDI will show you the attempted user names. On my system I see:
>>
>> Date / Time Type Subtype Node Username
>> ------------------------------------------------------------------------
>> 12-JUL-2007 01:07:58.33 LOGFAIL NETWORK AS600 admin
>> 12-JUL-2007 01:07:58.86 LOGFAIL NETWORK AS600 admin
>> [...]
>
> Unless it doesn't:
>
> Date / Time Type Subtype Node Username ID Term
> -----------------------------------------------------------------------------------------
> [...]
> 17-JUL-2007 18:33:25.68 BREAKIN NETWORK ALP TCPIP$SSH 20239AB1
> 17-JUL-2007 18:33:33.01 BREAKIN NETWORK ALP TCPIP$SSH 202398B3
> [...]
>
> ALP $ tcpip show version
>
> HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 6
> on a COMPAQ Professional Workstation XP1000 running OpenVMS V7.3-2
>
> ------------------------------------------------------------------------
>
> Steven M. Schweda sms@antinode-org
> 382 South Warwick Street (+1) 651-699-9818
> Saint Paul MN 55105-2547

My TCPIP doesn't have ssh as 5.3 is too old.
The output I posted is from ftp attempts.

I assumed TCPIP would have a common reporting format.
If it doesn't it should!

Live and learn.

Jeff

----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

In article <1184789244_1937@sp12lax.superfeed.net>, Jeff Campbell writes:
>
>
>Steven M. Schweda wrote:
>> From: Jeff Campbell
>>
>>> VMS 7.3-1 Alpha TCPIP 5.3 ECO 4.
>>>
>>> ANAL/AUDI will show you the attempted user names. On my system I see:
>>>
>>> Date / Time Type Subtype Node Username
>>> ------------------------------------------------------------------------
>>> 12-JUL-2007 01:07:58.33 LOGFAIL NETWORK AS600 admin
>>> 12-JUL-2007 01:07:58.86 LOGFAIL NETWORK AS600 admin
>>> [...]
>>
>> Unless it doesn't:
>>
>> Date / Time Type Subtype Node Username ID Term
>> -----------------------------------------------------------------------------------------
>> [...]
>> 17-JUL-2007 18:33:25.68 BREAKIN NETWORK ALP TCPIP$SSH 20239AB1
>> 17-JUL-2007 18:33:33.01 BREAKIN NETWORK ALP TCPIP$SSH 202398B3
>> [...]
>>
>> ALP $ tcpip show version
>>
>> HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 6
>> on a COMPAQ Professional Workstation XP1000 running OpenVMS V7.3-2
>>
>> ------------------------------------------------------------------------
>>
>> Steven M. Schweda sms@antinode-org
>> 382 South Warwick Street (+1) 651-699-9818
>> Saint Paul MN 55105-2547
>
>My TCPIP doesn't have ssh as 5.3 is too old.
>The output I posted is from ftp attempts.
>
>I assumed TCPIP would have a common reporting format.
>If it doesn't it should!
>
>Live and learn.

The problem is that a remote ssh connects to the local ssh server port.
The connection is created under the TCPIP$SSH username and not the user-
name of the account the remote ssh is trying to access.

--
VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM

"Well my son, life is like a beanstalk, isn't it?"

http://tmesis.com/sig.jpg

In article <07071814223108_202003EE@antinode.org>,
sms@antinode.org (Steven M. Schweda) wrote:

> From: Jeff Campbell
>
> > VMS 7.3-1 Alpha TCPIP 5.3 ECO 4.
> >
> > ANAL/AUDI will show you the attempted user names. On my system I see:
> >
> > Date / Time Type Subtype Node Username
> > ------------------------------------------------------------------------
> > 12-JUL-2007 01:07:58.33 LOGFAIL NETWORK AS600 admin
> > 12-JUL-2007 01:07:58.86 LOGFAIL NETWORK AS600 admin
> > [...]
>
> Unless it doesn't:
>
> Date / Time Type Subtype Node Username ID
> Term
> ------------------------------------------------------------------------------
> -----------
> [...]
> 17-JUL-2007 18:33:25.68 BREAKIN NETWORK ALP TCPIP$SSH
> 20239AB1
> 17-JUL-2007 18:33:33.01 BREAKIN NETWORK ALP TCPIP$SSH
> 202398B3
> [...]
>
> ALP $ tcpip show version
>
> HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 6
> on a COMPAQ Professional Workstation XP1000 running OpenVMS V7.3-2
>
> ------------------------------------------------------------------------
>
> Steven M. Schweda sms@antinode-org
> 382 South Warwick Street (+1) 651-699-9818
> Saint Paul MN 55105-2547

Maybe it doesn't have that information when it's logging. When this is
true:

if f$trnlnm("tcpip$ssh_server_debug") .nes. ""

the SSH logfile contains an entry like this:

debug[538975642]: Sshd2/SSHD2.C:1698: User 'frodo' doesn't exist, using
bogus group "NO_SUCH_USER".

--
Paul Sture

In article , "P. Sture" writes:
>
>
>In article <07071814223108_202003EE@antinode.org>,
> sms@antinode.org (Steven M. Schweda) wrote:
>
>> From: Jeff Campbell
>>
>> > VMS 7.3-1 Alpha TCPIP 5.3 ECO 4.
>> >
>> > ANAL/AUDI will show you the attempted user names. On my system I see:
>> >
>> > Date / Time Type Subtype Node Username
>> > ------------------------------------------------------------------------
>> > 12-JUL-2007 01:07:58.33 LOGFAIL NETWORK AS600 admin
>> > 12-JUL-2007 01:07:58.86 LOGFAIL NETWORK AS600 admin
>> > [...]
>>
>> Unless it doesn't:
>>
>> Date / Time Type Subtype Node Username ID
>> Term
>> ------------------------------------------------------------------------------
>> -----------
>> [...]
>> 17-JUL-2007 18:33:25.68 BREAKIN NETWORK ALP TCPIP$SSH
>> 20239AB1
>> 17-JUL-2007 18:33:33.01 BREAKIN NETWORK ALP TCPIP$SSH
>> 202398B3
>> [...]
>>
>> ALP $ tcpip show version
>>
>> HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 6
>> on a COMPAQ Professional Workstation XP1000 running OpenVMS V7.3-2
>>
>> ------------------------------------------------------------------------
>>
>> Steven M. Schweda sms@antinode-org
>> 382 South Warwick Street (+1) 651-699-9818
>> Saint Paul MN 55105-2547
>
>Maybe it doesn't have that information when it's logging. When this is
>true:
>
> if f$trnlnm("tcpip$ssh_server_debug") .nes. ""
>
>the SSH logfile contains an entry like this:
>
>debug[538975642]: Sshd2/SSHD2.C:1698: User 'frodo' doesn't exist, using
>bogus group "NO_SUCH_USER".

Hey, that's a start! It would be nice in the OPCOM or AUDIT logs though.

--
VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM

"Well my son, life is like a beanstalk, isn't it?"

http://tmesis.com/sig.jpg

In article , VAXman- @SendSpamHere.ORG
wrote:

> In article , "P. Sture"
> writes:
> >
> >
> >In article <07071814223108_202003EE@antinode.org>,
> > sms@antinode.org (Steven M. Schweda) wrote:
> >
> >> From: Jeff Campbell
> >>
> >> > VMS 7.3-1 Alpha TCPIP 5.3 ECO 4.
> >> >
> >> > ANAL/AUDI will show you the attempted user names. On my system I see:
> >> >
> >> > Date / Time Type Subtype Node Username
> >> > ---------------------------------------------------------------------
> >> > ---
> >> > 12-JUL-2007 01:07:58.33 LOGFAIL NETWORK AS600 admin
> >> > 12-JUL-2007 01:07:58.86 LOGFAIL NETWORK AS600 admin
> >> > [...]
> >>
> >> Unless it doesn't:
> >>
> >> Date / Time Type Subtype Node Username
> >> ID
> >> Term
> >> ---------------------------------------------------------------------------
> >> ---
> >> -----------
> >> [...]
> >> 17-JUL-2007 18:33:25.68 BREAKIN NETWORK ALP TCPIP$SSH
> >> 20239AB1
> >> 17-JUL-2007 18:33:33.01 BREAKIN NETWORK ALP TCPIP$SSH
> >> 202398B3
> >> [...]
> >>
> >> ALP $ tcpip show version
> >>
> >> HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 6
> >> on a COMPAQ Professional Workstation XP1000 running OpenVMS V7.3-2
> >>
> >> ------------------------------------------------------------------------
> >>
> >> Steven M. Schweda sms@antinode-org
> >> 382 South Warwick Street (+1) 651-699-9818
> >> Saint Paul MN 55105-2547
> >
> >Maybe it doesn't have that information when it's logging. When this is
> >true:
> >
> > if f$trnlnm("tcpip$ssh_server_debug") .nes. ""
> >
> >the SSH logfile contains an entry like this:
> >
> >debug[538975642]: Sshd2/SSHD2.C:1698: User 'frodo' doesn't exist, using
> >bogus group "NO_SUCH_USER".
>
> Hey, that's a start! It would be nice in the OPCOM or AUDIT logs though.

Careful though. When debugging is on, those logs are big.

TCPIP$SSH_RUN.LOG;902 (debugging switched off)
5/18 18-JUL-2007 17:14:25.28
TCPIP$SSH_RUN.LOG;901 (with debugging)
1515/1530 18-JUL-2007 17:13:57.78
TCPIP$SSH_RUN.LOG;900
1643/1656 18-JUL-2007 17:03:30.72
TCPIP$SSH_RUN.LOG;899
1813/1818 18-JUL-2007 16:57:34.54

--
Paul Sture

In article , "P. Sture" writes:
>
>
>In article , VAXman- @SendSpamHere.ORG
>wrote:
>
>> In article , "P. Sture"
>> writes:
>> >
>> >
>> >In article <07071814223108_202003EE@antinode.org>,
>> > sms@antinode.org (Steven M. Schweda) wrote:
>> >
>> >> From: Jeff Campbell
>> >>
>> >> > VMS 7.3-1 Alpha TCPIP 5.3 ECO 4.
>> >> >
>> >> > ANAL/AUDI will show you the attempted user names. On my system I see:
>> >> >
>> >> > Date / Time Type Subtype Node Username
>> >> > ---------------------------------------------------------------------
>> >> > ---
>> >> > 12-JUL-2007 01:07:58.33 LOGFAIL NETWORK AS600 admin
>> >> > 12-JUL-2007 01:07:58.86 LOGFAIL NETWORK AS600 admin
>> >> > [...]
>> >>
>> >> Unless it doesn't:
>> >>
>> >> Date / Time Type Subtype Node Username
>> >> ID
>> >> Term
>> >> ---------------------------------------------------------------------------
>> >> ---
>> >> -----------
>> >> [...]
>> >> 17-JUL-2007 18:33:25.68 BREAKIN NETWORK ALP TCPIP$SSH
>> >> 20239AB1
>> >> 17-JUL-2007 18:33:33.01 BREAKIN NETWORK ALP TCPIP$SSH
>> >> 202398B3
>> >> [...]
>> >>
>> >> ALP $ tcpip show version
>> >>
>> >> HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 6
>> >> on a COMPAQ Professional Workstation XP1000 running OpenVMS V7.3-2
>> >>
>> >> ------------------------------------------------------------------------
>> >>
>> >> Steven M. Schweda sms@antinode-org
>> >> 382 South Warwick Street (+1) 651-699-9818
>> >> Saint Paul MN 55105-2547
>> >
>> >Maybe it doesn't have that information when it's logging. When this is
>> >true:
>> >
>> > if f$trnlnm("tcpip$ssh_server_debug") .nes. ""
>> >
>> >the SSH logfile contains an entry like this:
>> >
>> >debug[538975642]: Sshd2/SSHD2.C:1698: User 'frodo' doesn't exist, using
>> >bogus group "NO_SUCH_USER".
>>
>> Hey, that's a start! It would be nice in the OPCOM or AUDIT logs though.
>
>Careful though. When debugging is on, those logs are big.
>
>TCPIP$SSH_RUN.LOG;902 (debugging switched off)
> 5/18 18-JUL-2007 17:14:25.28
>TCPIP$SSH_RUN.LOG;901 (with debugging)
> 1515/1530 18-JUL-2007 17:13:57.78
>TCPIP$SSH_RUN.LOG;900
> 1643/1656 18-JUL-2007 17:03:30.72
>TCPIP$SSH_RUN.LOG;899
> 1813/1818 18-JUL-2007 16:57:34.54

Well then, that's not such a great feature. Too bad there isn't some way
to define which bebug items to log -- or maybe there is?

--
VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM

"Well my son, life is like a beanstalk, isn't it?"

http://tmesis.com/sig.jpg

In article <07071814223108_202003EE@antinode.org>, sms@antinode.org (Steven M. Schweda) writes:
>
> Unless it doesn't:
>

One more example of Multinet doing something for you that TCPIP
Services doesn't.

You'ld think by now someone would have learned TCPIP Services needs
to catch up to and keep up with the competition.

In article , koehler@eisner.nospam.encompasserve.org (Bob Koehler) writes:
>
>
>In article <07071814223108_202003EE@antinode.org>, sms@antinode.org (Steven M. Schweda) writes:
>>
>> Unless it doesn't:
>>
>
> One more example of Multinet doing something for you that TCPIP
> Services doesn't.
>
> You'ld think by now someone would have learned TCPIP Services needs
> to catch up to and keep up with the competition.

One of the features of Multinet and TCPware ssh that I like (and it is my
technology that makes it possible) is the display of the Remote Port Info
in a SHOW TERMINAL showing where the ssh connection is coming from. I've
added this same capability to TCPIP Services ssh connections on my system.

I am beginning to feel that if I want the username information to appear
in an OPCOM security message, I may need to have to add this ability my-
self as well.


--
VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM

"Well my son, life is like a beanstalk, isn't it?"

http://tmesis.com/sig.jpg

I think that the VMS management should take a step back, and then tell
whatever engineers are left in the TCPIP group to make the TCPIP
Services product compliant with VMS security.

This include ensuring all attempst at verifying username/passwords are
treated as a network login, complete with breaking evasion and COMPLETE
LOGGING OF THE ATTEMPT, ensure that all inbound calls are logged in a
consistent manner etc etc.

If what is left of VMS versus the others is its security, then bringing
TCPIP Services up to a minimum par should be an extreme priority.

(And BTW, at 5.3 XDM also allowed unlimited login attempts, not sure at 5.6)

In article , VAXman- @SendSpamHere.ORG
wrote:

> In article , "P. Sture"
> writes:
>
> >Careful though. When debugging is on, those logs are big.
> >
> >TCPIP$SSH_RUN.LOG;902 (debugging switched off)
> > 5/18 18-JUL-2007 17:14:25.28
> >TCPIP$SSH_RUN.LOG;901 (with debugging)
> > 1515/1530 18-JUL-2007 17:13:57.78
> >TCPIP$SSH_RUN.LOG;900
> > 1643/1656 18-JUL-2007 17:03:30.72
> >TCPIP$SSH_RUN.LOG;899
> > 1813/1818 18-JUL-2007 16:57:34.54
>
> Well then, that's not such a great feature. Too bad there isn't some way
> to define which bebug items to log -- or maybe there is?

Hmm. SYS$NET is available in TCPIP$SSH_RUN.COM, so you have the BG
device name. Doing something with that is in your territory, I believe
:-)

--
Paul Sture