From: gartmann@nonsense.immunbio.mpg.de (Christoph Gartmann)
In article <1187767904.199876.204390@l22g2000prc.googlegroups. com>, mcbill20@yahoo.com writes:

> >A few hours ago I noticed my VMS console going crazy with intrusion
> >messages. Someone was trying to breakin via FTP. The console messages
> >of course had the date/time, program (FTP), username ("administrato"),
> >and the remote host. When I did a "show intru" it showed some 6400
> >attempts.
> >[...]

> In the security audit journal. See ANALYZE/AUDIT.

I normally do (from SYS$MANAGER):

anal /audi /full /sinc = /outp = aa

where:

ALP $ show logi aa
"AA" = "SYS$MANAGER:AA.OUT" (LNM$PROCESS_TABLE)

and SYS$MANAGER:AA.OUT has W:RE protection, so that I can easily include
it in my (non-SYSTEM) e-mail. (My own login.com also defines "AA".)

For FTP-related complaints, I also include any relevant data from:

sys$sysdevice:[tcpip$ftp]tcpip$ftp_anonymous.log
sys$sysdevice:[tcpip$ftp]tcpip$ftp_run.log

(In the latter, you can see the whole "Administrator".) I have am AC.
on those which allows me to read them (IDENTIFIER=[SMS],ACCESS=READ),

"type /tail aa" is useful for determining the next "" to
specify. I suppose that one could also automate that part, perhaps
using the file's date instead of its contents. I haven't felt the need
yet.

This scheme serves for SSH and other attacks, too, but the FTP
password-guessing sessions make for the most impressive volume (>10X the
typical SSH attack).

------------------------------------------------------------------------

Steven M. Schweda sms@antinode-org
382 South Warwick Street (+1) 651-699-9818
Saint Paul MN 55105-2547