Re: these sshmucks are at it again... - VMS

This is a discussion on Re: these sshmucks are at it again... - VMS ; From: Jeff Campbell > VMS 7.3-1 Alpha TCPIP 5.3 ECO 4. > > ANAL/AUDI will show you the attempted user names. On my system I see: > > Date / Time Type Subtype Node Username > ------------------------------------------------------------------------ > 12-JUL-2007 01:07:58.33 ...

+ Reply to Thread
Results 1 to 11 of 11

Thread: Re: these sshmucks are at it again...

  1. Re: these sshmucks are at it again...

    From: Jeff Campbell

    > VMS 7.3-1 Alpha TCPIP 5.3 ECO 4.
    >
    > ANAL/AUDI will show you the attempted user names. On my system I see:
    >
    > Date / Time Type Subtype Node Username
    > ------------------------------------------------------------------------
    > 12-JUL-2007 01:07:58.33 LOGFAIL NETWORK AS600 admin
    > 12-JUL-2007 01:07:58.86 LOGFAIL NETWORK AS600 admin
    > [...]


    Unless it doesn't:

    Date / Time Type Subtype Node Username ID Term
    -----------------------------------------------------------------------------------------
    [...]
    17-JUL-2007 18:33:25.68 BREAKIN NETWORK ALP TCPIP$SSH 20239AB1
    17-JUL-2007 18:33:33.01 BREAKIN NETWORK ALP TCPIP$SSH 202398B3
    [...]

    ALP $ tcpip show version

    HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 6
    on a COMPAQ Professional Workstation XP1000 running OpenVMS V7.3-2

    ------------------------------------------------------------------------

    Steven M. Schweda sms@antinode-org
    382 South Warwick Street (+1) 651-699-9818
    Saint Paul MN 55105-2547

  2. Re: these sshmucks are at it again...

    Steven M. Schweda wrote:
    > From: Jeff Campbell
    >
    >> VMS 7.3-1 Alpha TCPIP 5.3 ECO 4.
    >>
    >> ANAL/AUDI will show you the attempted user names. On my system I see:
    >>
    >> Date / Time Type Subtype Node Username
    >> ------------------------------------------------------------------------
    >> 12-JUL-2007 01:07:58.33 LOGFAIL NETWORK AS600 admin
    >> 12-JUL-2007 01:07:58.86 LOGFAIL NETWORK AS600 admin
    >> [...]

    >
    > Unless it doesn't:
    >
    > Date / Time Type Subtype Node Username ID Term
    > -----------------------------------------------------------------------------------------
    > [...]
    > 17-JUL-2007 18:33:25.68 BREAKIN NETWORK ALP TCPIP$SSH 20239AB1
    > 17-JUL-2007 18:33:33.01 BREAKIN NETWORK ALP TCPIP$SSH 202398B3
    > [...]
    >
    > ALP $ tcpip show version
    >
    > HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 6
    > on a COMPAQ Professional Workstation XP1000 running OpenVMS V7.3-2
    >
    > ------------------------------------------------------------------------
    >
    > Steven M. Schweda sms@antinode-org
    > 382 South Warwick Street (+1) 651-699-9818
    > Saint Paul MN 55105-2547


    My TCPIP doesn't have ssh as 5.3 is too old.
    The output I posted is from ftp attempts.

    I assumed TCPIP would have a common reporting format.
    If it doesn't it should!

    Live and learn.

    Jeff

    ----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
    http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
    ----= East and West-Coast Server Farms - Total Privacy via Encryption =----

  3. Re: these sshmucks are at it again...

    In article <1184789244_1937@sp12lax.superfeed.net>, Jeff Campbell writes:
    >
    >
    >Steven M. Schweda wrote:
    >> From: Jeff Campbell
    >>
    >>> VMS 7.3-1 Alpha TCPIP 5.3 ECO 4.
    >>>
    >>> ANAL/AUDI will show you the attempted user names. On my system I see:
    >>>
    >>> Date / Time Type Subtype Node Username
    >>> ------------------------------------------------------------------------
    >>> 12-JUL-2007 01:07:58.33 LOGFAIL NETWORK AS600 admin
    >>> 12-JUL-2007 01:07:58.86 LOGFAIL NETWORK AS600 admin
    >>> [...]

    >>
    >> Unless it doesn't:
    >>
    >> Date / Time Type Subtype Node Username ID Term
    >> -----------------------------------------------------------------------------------------
    >> [...]
    >> 17-JUL-2007 18:33:25.68 BREAKIN NETWORK ALP TCPIP$SSH 20239AB1
    >> 17-JUL-2007 18:33:33.01 BREAKIN NETWORK ALP TCPIP$SSH 202398B3
    >> [...]
    >>
    >> ALP $ tcpip show version
    >>
    >> HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 6
    >> on a COMPAQ Professional Workstation XP1000 running OpenVMS V7.3-2
    >>
    >> ------------------------------------------------------------------------
    >>
    >> Steven M. Schweda sms@antinode-org
    >> 382 South Warwick Street (+1) 651-699-9818
    >> Saint Paul MN 55105-2547

    >
    >My TCPIP doesn't have ssh as 5.3 is too old.
    >The output I posted is from ftp attempts.
    >
    >I assumed TCPIP would have a common reporting format.
    >If it doesn't it should!
    >
    >Live and learn.


    The problem is that a remote ssh connects to the local ssh server port.
    The connection is created under the TCPIP$SSH username and not the user-
    name of the account the remote ssh is trying to access.

    --
    VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM

    "Well my son, life is like a beanstalk, isn't it?"

    http://tmesis.com/sig.jpg

  4. Re: these sshmucks are at it again...

    In article <07071814223108_202003EE@antinode.org>,
    sms@antinode.org (Steven M. Schweda) wrote:

    > From: Jeff Campbell
    >
    > > VMS 7.3-1 Alpha TCPIP 5.3 ECO 4.
    > >
    > > ANAL/AUDI will show you the attempted user names. On my system I see:
    > >
    > > Date / Time Type Subtype Node Username
    > > ------------------------------------------------------------------------
    > > 12-JUL-2007 01:07:58.33 LOGFAIL NETWORK AS600 admin
    > > 12-JUL-2007 01:07:58.86 LOGFAIL NETWORK AS600 admin
    > > [...]

    >
    > Unless it doesn't:
    >
    > Date / Time Type Subtype Node Username ID
    > Term
    > ------------------------------------------------------------------------------
    > -----------
    > [...]
    > 17-JUL-2007 18:33:25.68 BREAKIN NETWORK ALP TCPIP$SSH
    > 20239AB1
    > 17-JUL-2007 18:33:33.01 BREAKIN NETWORK ALP TCPIP$SSH
    > 202398B3
    > [...]
    >
    > ALP $ tcpip show version
    >
    > HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 6
    > on a COMPAQ Professional Workstation XP1000 running OpenVMS V7.3-2
    >
    > ------------------------------------------------------------------------
    >
    > Steven M. Schweda sms@antinode-org
    > 382 South Warwick Street (+1) 651-699-9818
    > Saint Paul MN 55105-2547


    Maybe it doesn't have that information when it's logging. When this is
    true:

    if f$trnlnm("tcpip$ssh_server_debug") .nes. ""

    the SSH logfile contains an entry like this:

    debug[538975642]: Sshd2/SSHD2.C:1698: User 'frodo' doesn't exist, using
    bogus group "NO_SUCH_USER".

    --
    Paul Sture

  5. Re: these sshmucks are at it again...

    In article , "P. Sture" writes:
    >
    >
    >In article <07071814223108_202003EE@antinode.org>,
    > sms@antinode.org (Steven M. Schweda) wrote:
    >
    >> From: Jeff Campbell
    >>
    >> > VMS 7.3-1 Alpha TCPIP 5.3 ECO 4.
    >> >
    >> > ANAL/AUDI will show you the attempted user names. On my system I see:
    >> >
    >> > Date / Time Type Subtype Node Username
    >> > ------------------------------------------------------------------------
    >> > 12-JUL-2007 01:07:58.33 LOGFAIL NETWORK AS600 admin
    >> > 12-JUL-2007 01:07:58.86 LOGFAIL NETWORK AS600 admin
    >> > [...]

    >>
    >> Unless it doesn't:
    >>
    >> Date / Time Type Subtype Node Username ID
    >> Term
    >> ------------------------------------------------------------------------------
    >> -----------
    >> [...]
    >> 17-JUL-2007 18:33:25.68 BREAKIN NETWORK ALP TCPIP$SSH
    >> 20239AB1
    >> 17-JUL-2007 18:33:33.01 BREAKIN NETWORK ALP TCPIP$SSH
    >> 202398B3
    >> [...]
    >>
    >> ALP $ tcpip show version
    >>
    >> HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 6
    >> on a COMPAQ Professional Workstation XP1000 running OpenVMS V7.3-2
    >>
    >> ------------------------------------------------------------------------
    >>
    >> Steven M. Schweda sms@antinode-org
    >> 382 South Warwick Street (+1) 651-699-9818
    >> Saint Paul MN 55105-2547

    >
    >Maybe it doesn't have that information when it's logging. When this is
    >true:
    >
    > if f$trnlnm("tcpip$ssh_server_debug") .nes. ""
    >
    >the SSH logfile contains an entry like this:
    >
    >debug[538975642]: Sshd2/SSHD2.C:1698: User 'frodo' doesn't exist, using
    >bogus group "NO_SUCH_USER".


    Hey, that's a start! It would be nice in the OPCOM or AUDIT logs though.

    --
    VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM

    "Well my son, life is like a beanstalk, isn't it?"

    http://tmesis.com/sig.jpg

  6. Re: these sshmucks are at it again...

    In article , VAXman- @SendSpamHere.ORG
    wrote:

    > In article , "P. Sture"
    > writes:
    > >
    > >
    > >In article <07071814223108_202003EE@antinode.org>,
    > > sms@antinode.org (Steven M. Schweda) wrote:
    > >
    > >> From: Jeff Campbell
    > >>
    > >> > VMS 7.3-1 Alpha TCPIP 5.3 ECO 4.
    > >> >
    > >> > ANAL/AUDI will show you the attempted user names. On my system I see:
    > >> >
    > >> > Date / Time Type Subtype Node Username
    > >> > ---------------------------------------------------------------------
    > >> > ---
    > >> > 12-JUL-2007 01:07:58.33 LOGFAIL NETWORK AS600 admin
    > >> > 12-JUL-2007 01:07:58.86 LOGFAIL NETWORK AS600 admin
    > >> > [...]
    > >>
    > >> Unless it doesn't:
    > >>
    > >> Date / Time Type Subtype Node Username
    > >> ID
    > >> Term
    > >> ---------------------------------------------------------------------------
    > >> ---
    > >> -----------
    > >> [...]
    > >> 17-JUL-2007 18:33:25.68 BREAKIN NETWORK ALP TCPIP$SSH
    > >> 20239AB1
    > >> 17-JUL-2007 18:33:33.01 BREAKIN NETWORK ALP TCPIP$SSH
    > >> 202398B3
    > >> [...]
    > >>
    > >> ALP $ tcpip show version
    > >>
    > >> HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 6
    > >> on a COMPAQ Professional Workstation XP1000 running OpenVMS V7.3-2
    > >>
    > >> ------------------------------------------------------------------------
    > >>
    > >> Steven M. Schweda sms@antinode-org
    > >> 382 South Warwick Street (+1) 651-699-9818
    > >> Saint Paul MN 55105-2547

    > >
    > >Maybe it doesn't have that information when it's logging. When this is
    > >true:
    > >
    > > if f$trnlnm("tcpip$ssh_server_debug") .nes. ""
    > >
    > >the SSH logfile contains an entry like this:
    > >
    > >debug[538975642]: Sshd2/SSHD2.C:1698: User 'frodo' doesn't exist, using
    > >bogus group "NO_SUCH_USER".

    >
    > Hey, that's a start! It would be nice in the OPCOM or AUDIT logs though.


    Careful though. When debugging is on, those logs are big.

    TCPIP$SSH_RUN.LOG;902 (debugging switched off)
    5/18 18-JUL-2007 17:14:25.28
    TCPIP$SSH_RUN.LOG;901 (with debugging)
    1515/1530 18-JUL-2007 17:13:57.78
    TCPIP$SSH_RUN.LOG;900
    1643/1656 18-JUL-2007 17:03:30.72
    TCPIP$SSH_RUN.LOG;899
    1813/1818 18-JUL-2007 16:57:34.54

    --
    Paul Sture

  7. Re: these sshmucks are at it again...

    In article , "P. Sture" writes:
    >
    >
    >In article , VAXman- @SendSpamHere.ORG
    >wrote:
    >
    >> In article , "P. Sture"
    >> writes:
    >> >
    >> >
    >> >In article <07071814223108_202003EE@antinode.org>,
    >> > sms@antinode.org (Steven M. Schweda) wrote:
    >> >
    >> >> From: Jeff Campbell
    >> >>
    >> >> > VMS 7.3-1 Alpha TCPIP 5.3 ECO 4.
    >> >> >
    >> >> > ANAL/AUDI will show you the attempted user names. On my system I see:
    >> >> >
    >> >> > Date / Time Type Subtype Node Username
    >> >> > ---------------------------------------------------------------------
    >> >> > ---
    >> >> > 12-JUL-2007 01:07:58.33 LOGFAIL NETWORK AS600 admin
    >> >> > 12-JUL-2007 01:07:58.86 LOGFAIL NETWORK AS600 admin
    >> >> > [...]
    >> >>
    >> >> Unless it doesn't:
    >> >>
    >> >> Date / Time Type Subtype Node Username
    >> >> ID
    >> >> Term
    >> >> ---------------------------------------------------------------------------
    >> >> ---
    >> >> -----------
    >> >> [...]
    >> >> 17-JUL-2007 18:33:25.68 BREAKIN NETWORK ALP TCPIP$SSH
    >> >> 20239AB1
    >> >> 17-JUL-2007 18:33:33.01 BREAKIN NETWORK ALP TCPIP$SSH
    >> >> 202398B3
    >> >> [...]
    >> >>
    >> >> ALP $ tcpip show version
    >> >>
    >> >> HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 6
    >> >> on a COMPAQ Professional Workstation XP1000 running OpenVMS V7.3-2
    >> >>
    >> >> ------------------------------------------------------------------------
    >> >>
    >> >> Steven M. Schweda sms@antinode-org
    >> >> 382 South Warwick Street (+1) 651-699-9818
    >> >> Saint Paul MN 55105-2547
    >> >
    >> >Maybe it doesn't have that information when it's logging. When this is
    >> >true:
    >> >
    >> > if f$trnlnm("tcpip$ssh_server_debug") .nes. ""
    >> >
    >> >the SSH logfile contains an entry like this:
    >> >
    >> >debug[538975642]: Sshd2/SSHD2.C:1698: User 'frodo' doesn't exist, using
    >> >bogus group "NO_SUCH_USER".

    >>
    >> Hey, that's a start! It would be nice in the OPCOM or AUDIT logs though.

    >
    >Careful though. When debugging is on, those logs are big.
    >
    >TCPIP$SSH_RUN.LOG;902 (debugging switched off)
    > 5/18 18-JUL-2007 17:14:25.28
    >TCPIP$SSH_RUN.LOG;901 (with debugging)
    > 1515/1530 18-JUL-2007 17:13:57.78
    >TCPIP$SSH_RUN.LOG;900
    > 1643/1656 18-JUL-2007 17:03:30.72
    >TCPIP$SSH_RUN.LOG;899
    > 1813/1818 18-JUL-2007 16:57:34.54


    Well then, that's not such a great feature. Too bad there isn't some way
    to define which bebug items to log -- or maybe there is?

    --
    VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM

    "Well my son, life is like a beanstalk, isn't it?"

    http://tmesis.com/sig.jpg

  8. Re: these sshmucks are at it again...

    In article <07071814223108_202003EE@antinode.org>, sms@antinode.org (Steven M. Schweda) writes:
    >
    > Unless it doesn't:
    >


    One more example of Multinet doing something for you that TCPIP
    Services doesn't.

    You'ld think by now someone would have learned TCPIP Services needs
    to catch up to and keep up with the competition.


  9. Re: these sshmucks are at it again...

    In article , koehler@eisner.nospam.encompasserve.org (Bob Koehler) writes:
    >
    >
    >In article <07071814223108_202003EE@antinode.org>, sms@antinode.org (Steven M. Schweda) writes:
    >>
    >> Unless it doesn't:
    >>

    >
    > One more example of Multinet doing something for you that TCPIP
    > Services doesn't.
    >
    > You'ld think by now someone would have learned TCPIP Services needs
    > to catch up to and keep up with the competition.


    One of the features of Multinet and TCPware ssh that I like (and it is my
    technology that makes it possible) is the display of the Remote Port Info
    in a SHOW TERMINAL showing where the ssh connection is coming from. I've
    added this same capability to TCPIP Services ssh connections on my system.

    I am beginning to feel that if I want the username information to appear
    in an OPCOM security message, I may need to have to add this ability my-
    self as well.


    --
    VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM

    "Well my son, life is like a beanstalk, isn't it?"

    http://tmesis.com/sig.jpg

  10. Re: these sshmucks are at it again...

    I think that the VMS management should take a step back, and then tell
    whatever engineers are left in the TCPIP group to make the TCPIP
    Services product compliant with VMS security.

    This include ensuring all attempst at verifying username/passwords are
    treated as a network login, complete with breaking evasion and COMPLETE
    LOGGING OF THE ATTEMPT, ensure that all inbound calls are logged in a
    consistent manner etc etc.

    If what is left of VMS versus the others is its security, then bringing
    TCPIP Services up to a minimum par should be an extreme priority.

    (And BTW, at 5.3 XDM also allowed unlimited login attempts, not sure at 5.6)

  11. Re: these sshmucks are at it again...

    In article , VAXman- @SendSpamHere.ORG
    wrote:

    > In article , "P. Sture"
    > writes:
    >
    > >Careful though. When debugging is on, those logs are big.
    > >
    > >TCPIP$SSH_RUN.LOG;902 (debugging switched off)
    > > 5/18 18-JUL-2007 17:14:25.28
    > >TCPIP$SSH_RUN.LOG;901 (with debugging)
    > > 1515/1530 18-JUL-2007 17:13:57.78
    > >TCPIP$SSH_RUN.LOG;900
    > > 1643/1656 18-JUL-2007 17:03:30.72
    > >TCPIP$SSH_RUN.LOG;899
    > > 1813/1818 18-JUL-2007 16:57:34.54

    >
    > Well then, that's not such a great feature. Too bad there isn't some way
    > to define which bebug items to log -- or maybe there is?


    Hmm. SYS$NET is available in TCPIP$SSH_RUN.COM, so you have the BG
    device name. Doing something with that is in your territory, I believe
    :-)

    --
    Paul Sture

+ Reply to Thread