Re: Help with tracking down intrusion record logs - VMS

This is a discussion on Re: Help with tracking down intrusion record logs - VMS ; From: gartmann@nonsense.immunbio.mpg.de (Christoph Gartmann) In article , mcbill20@yahoo.com writes: > >A few hours ago I noticed my VMS console going crazy with intrusion > >messages. Someone was trying to breakin via FTP. The console messages > >of course had the ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Re: Help with tracking down intrusion record logs

  1. Re: Help with tracking down intrusion record logs

    From: gartmann@nonsense.immunbio.mpg.de (Christoph Gartmann)
    In article <1187767904.199876.204390@l22g2000prc.googlegroups. com>, mcbill20@yahoo.com writes:

    > >A few hours ago I noticed my VMS console going crazy with intrusion
    > >messages. Someone was trying to breakin via FTP. The console messages
    > >of course had the date/time, program (FTP), username ("administrato"),
    > >and the remote host. When I did a "show intru" it showed some 6400
    > >attempts.
    > >[...]


    > In the security audit journal. See ANALYZE/AUDIT.


    I normally do (from SYS$MANAGER):

    anal /audi /full /sinc = /outp = aa

    where:

    ALP $ show logi aa
    "AA" = "SYS$MANAGER:AA.OUT" (LNM$PROCESS_TABLE)

    and SYS$MANAGER:AA.OUT has W:RE protection, so that I can easily include
    it in my (non-SYSTEM) e-mail. (My own login.com also defines "AA".)

    For FTP-related complaints, I also include any relevant data from:

    sys$sysdevice:[tcpip$ftp]tcpip$ftp_anonymous.log
    sys$sysdevice:[tcpip$ftp]tcpip$ftp_run.log

    (In the latter, you can see the whole "Administrator".) I have am AC.
    on those which allows me to read them (IDENTIFIER=[SMS],ACCESS=READ),

    "type /tail aa" is useful for determining the next "" to
    specify. I suppose that one could also automate that part, perhaps
    using the file's date instead of its contents. I haven't felt the need
    yet.

    This scheme serves for SSH and other attacks, too, but the FTP
    password-guessing sessions make for the most impressive volume (>10X the
    typical SSH attack).

    ------------------------------------------------------------------------

    Steven M. Schweda sms@antinode-org
    382 South Warwick Street (+1) 651-699-9818
    Saint Paul MN 55105-2547

  2. Re: Help with tracking down intrusion record logs

    In article <07082207414753_20200296@antinode.org>, sms@antinode.org (Steven M. Schweda) writes:
    >
    > and SYS$MANAGER:AA.OUT has W:RE protection, so that I can easily include
    > it in my (non-SYSTEM) e-mail. (My own login.com also defines "AA".)


    Boy, am I glad you're not responsible for security on my system. I'd
    never make security information world readable.


  3. Re: Help with tracking down intrusion record logs

    On Aug 22, 2:05 pm, koeh...@eisner.nospam.encompasserve.org (Bob
    Koehler) wrote:
    > In article <07082207414753_20200...@antinode.org>, s...@antinode.org (Steven M. Schweda) writes:
    >
    >
    >
    > > and SYS$MANAGER:AA.OUT has W:RE protection, so that I can easily include
    > > it in my (non-SYSTEM) e-mail. (My own login.com also defines "AA".)

    >
    > Boy, am I glad you're not responsible for security on my system. I'd
    > never make security information world readable.


    You're back! I was worried after your no-content reply to Bob! :-)

    AEF


  4. Re: Help with tracking down intrusion record logs

    In article <1187827977.220927.37690@e9g2000prf.googlegroups.co m>, AEF writes:
    >
    > You're back! I was worried after your no-content reply to Bob! :-)


    The content was in the title.


+ Reply to Thread