SSH break-in attempts - VMS

This is a discussion on SSH break-in attempts - VMS ; SSH break-in attempts seem to be getting more frequent these days. I'm (still) using: HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 7 on a COMPAQ Professional Workstation XP1000 running OpenVMS V7.3-2 with an SSH service limit of ...

+ Reply to Thread
Page 1 of 3 1 2 3 LastLast
Results 1 to 20 of 45

Thread: SSH break-in attempts

  1. SSH break-in attempts

    SSH break-in attempts seem to be getting more frequent these days.
    I'm (still) using:

    HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 7
    on a COMPAQ Professional Workstation XP1000 running OpenVMS V7.3-2

    with an SSH service limit of 64, which helps to limit the duration of a
    typical attack, because the attackers appear to leave connections open
    long enough to hit the limit. After an OPCOM message like: "INTERnet
    ACP SSH Reject Request - service limit - from Host: 210.48.157.82 Port:
    45443", the attack ends, and then, over a period of some minutes, the
    connections are cleared out, so normal operation can resume.

    With a higher service limit, the attacks run longer, wasting
    resources. With a smaller limit, an attack becomes a (temporary) denial
    of service, until some of the connections dissipate.

    It seems to me that a useful feature would be a per-IP-address
    connection limit. I could easily live with no more than, say, 16 SSH
    connections from any particular IP address, and if an attacker hit that
    kind of limit, it would not interfere with connections coming from more
    legitimate sources.

    Anyone else think that this might be useful? (Or is it already in
    some new TCPIP version?)

    ------------------------------------------------------------------------

    Steven M. Schweda sms@antinode-info
    382 South Warwick Street (+1) 651-699-9818
    Saint Paul MN 55105-2547

  2. Re: SSH break-in attempts

    Steven M. Schweda wrote:

    > It seems to me that a useful feature would be a per-IP-address
    > connection limit.


    > Anyone else think that this might be useful? (Or is it already in
    > some new TCPIP version?)


    What is really needed is the breaking evasion system to be configurable
    to call some shareable image or DCL procedure whenever an event occurs
    and provide it with the appropriate information.

    Then, sites could write code that implements their own policies. (for
    instance, adding a block for that IP at the router level, at the TCPIP
    stack level for X minutes, or sending a message to a pager etc etc).

    Of course, this isn't of much use for all of the TCPIP software that
    doesn't call the intrusion detection stuff and allow thousands of login
    attempts to go unlogged.

  3. Re: SSH break-in attempts

    On 21 sep, 07:32, s...@antinode.info (Steven M. Schweda) wrote:
    > * *SSH break-in attempts seem to be getting more frequent these days.
    > I'm (still) using:
    >
    > * HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 7
    > * on a COMPAQ Professional Workstation XP1000 running OpenVMS V7.3-2
    >
    > with an SSH service limit of 64, which helps to limit the duration of a
    > typical attack, because the attackers appear to leave connections open
    > long enough to hit the limit. *After an OPCOM message like: "INTERnet
    > ACP SSH Reject Request - service limit - from Host: 210.48.157.82 Port:
    > 45443", the attack ends, and then, over a period of some minutes, the
    > connections are cleared out, so normal operation can resume.
    >
    > * *With a higher service limit, the attacks run longer, wasting
    > resources. *With a smaller limit, an attack becomes a (temporary) denial
    > of service, until some of the connections dissipate.
    >
    > * *It seems to me that a useful feature would be a per-IP-address
    > connection limit. *I could easily live with no more than, say, 16 SSH
    > connections from any particular IP address, and if an attacker hit that
    > kind of limit, it would not interfere with connections coming from more
    > legitimate sources.
    >
    > * *Anyone else think that this might be useful? *(Or is it already in
    > some new TCPIP version?)
    >
    > ------------------------------------------------------------------------
    >
    > * *Steven M. Schweda * * * * * * * sms@antinode-info
    > * *382 South Warwick Street * * * *(+1) 651-699-9818
    > * *Saint Paul *MN *55105-2547


    Interesting. My Digital Server 5305 has been turned on for two weeks
    now and yesterday evening an
    SSH attempt to logon on failed. I was using OPA0: so that's why I saw
    the intrusion.
    As it happens, I scan twice a month for login failures: ACC/SINCE=..../
    TYPE=LOGFAIL/FULL
    And learned that SSH intrusions are logged differently. Well, TELNET
    intrusions happen two to four times
    a month. But SSH intrusions happen twice a day; at least. TRACEROUTE
    tells you interesting things, though.
    About 30% comes from Russia, 20% from Asia, 10% is Europe and the
    rest, believe it or not, from California !

    The message code returned by ACCOUNTING is %x1764CFBC, which I can't
    translate to a text for some reason.
    BTW the system runs:


    $ tcpip sho ver

    HP TCP/IP Services for OpenVMS Alpha Version V5.6 - ECO 2
    on a DIGITAL Server 5000 Model 5305 6533A 5/533 4MB running OpenVMS
    V8.3

    $

    Hans

  4. Re: SSH break-in attempts

    In article <48d60243$0$12404$c3e8da3@news.astraweb.com>, JF Mezei writes:
    >Steven M. Schweda wrote:
    >
    >> It seems to me that a useful feature would be a per-IP-address
    >> connection limit.

    >
    >> Anyone else think that this might be useful? (Or is it already in
    >> some new TCPIP version?)

    >
    >What is really needed is the breaking evasion system to be configurable
    >to call some shareable image or DCL procedure whenever an event occurs
    >and provide it with the appropriate information.
    >
    >Then, sites could write code that implements their own policies. (for
    >instance, adding a block for that IP at the router level, at the TCPIP
    >stack level for X minutes, or sending a message to a pager etc etc).
    >
    >Of course, this isn't of much use for all of the TCPIP software that
    >doesn't call the intrusion detection stuff and allow thousands of login
    >attempts to go unlogged.


    I wrote a bit of code I called SSH PEER. It gets the remote IP address
    of an SSH client and displays it in the ACCPORNAM field of the terminal.
    It's some of my same technology which Process Software is using in Multi-
    Net and TCPware. If HP won't add such capabilities to their SSH, I could
    augment SSH_PEER with what you describe or even create a whole new beg of
    code to implement this.

    --
    VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM

    .... pejorative statements of opinion are entitled to constitutional protection
    no matter how extreme, vituperous, or vigorously expressed they may be. (NJSC)

    Copr. 2008 Brian Schenkenberger. Publication of _this_ usenet article outside
    of usenet _must_ include its contents in its entirety including this copyright
    notice, disclaimer and quotations.

  5. Re: SSH break-in attempts

    In article <08092100325425_20202860@antinode.info>, Steven M. Schweda wrote:
    > SSH break-in attempts seem to be getting more frequent these days.
    >I'm (still) using:

    [...]
    > It seems to me that a useful feature would be a per-IP-address
    >connection limit. I could easily live with no more than, say, 16 SSH
    >connections from any particular IP address, and if an attacker hit that
    >kind of limit, it would not interfere with connections coming from more
    >legitimate sources.
    >
    > Anyone else think that this might be useful? (Or is it already in
    >some new TCPIP version?)


    I realize that you've asked for a particular way to skin a cat, but if you
    would like a different approach, visit Aaron's OpenVMS Hobbyist website, where
    he has created a Q 'n' D to detect intruders, and add netowrk routes that point
    to a "bitbucket" local address to limit the amount of resources these creeps
    consume.

    I've adopted the routine for my TCPware stack, and added the suspects to a
    command file which is executed on startup, and re-routes the IP addresses to
    the bitbucket. Downside: my routing table is getting bigger and bigger -
    perhaps this will represent unwanted overhead on the IP stack?

  6. Re: SSH break-in attempts

    In article , BRAD@rabbit.turquoisewitch.com (Brad Hamilton) writes:
    >In article <08092100325425_20202860@antinode.info>, Steven M. Schweda wrote:
    >> SSH break-in attempts seem to be getting more frequent these days.
    >>I'm (still) using:

    >[...]
    >> It seems to me that a useful feature would be a per-IP-address
    >>connection limit. I could easily live with no more than, say, 16 SSH
    >>connections from any particular IP address, and if an attacker hit that
    >>kind of limit, it would not interfere with connections coming from more
    >>legitimate sources.
    >>
    >> Anyone else think that this might be useful? (Or is it already in
    >>some new TCPIP version?)

    >
    >I realize that you've asked for a particular way to skin a cat, but if you
    >would like a different approach, visit Aaron's OpenVMS Hobbyist website, where
    >he has created a Q 'n' D to detect intruders, and add netowrk routes that point
    >to a "bitbucket" local address to limit the amount of resources these creeps
    >consume.


    URL to this item?

    --
    VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM

    .... pejorative statements of opinion are entitled to constitutional protection
    no matter how extreme, vituperous, or vigorously expressed they may be. (NJSC)

    Copr. 2008 Brian Schenkenberger. Publication of _this_ usenet article outside
    of usenet _must_ include its contents in its entirety including this copyright
    notice, disclaimer and quotations.

  7. Re: SSH break-in attempts

    In article <00A7FF61.945F9460@SendSpamHere.ORG>,
    VAXman- @SendSpamHere.ORG wrote:
    >In article ,

    BRAD@rabbit.turquoisewitch.com (Brad Hamilton) writes:
    [...]
    >>I realize that you've asked for a particular way to skin a cat, but if you
    >>would like a different approach, visit Aaron's OpenVMS Hobbyist website, where
    >>he has created a Q 'n' D to detect intruders, and add netowrk routes that point
    >>to a "bitbucket" local address to limit the amount of resources these creeps
    >>consume.

    >
    >URL to this item?




  8. Re: SSH break-in attempts

    On Sun, 21 Sep 2008 06:04:54 -0700, VAXman- <@SendSpamHere.ORG> wrote:

    > In article <48d60243$0$12404$c3e8da3@news.astraweb.com>, JF Mezei
    > writes:
    >> Steven M. Schweda wrote:
    >>
    >>> It seems to me that a useful feature would be a per-IP-address
    >>> connection limit.

    >>
    >>> Anyone else think that this might be useful? (Or is it already in
    >>> some new TCPIP version?)

    >>
    >> What is really needed is the breaking evasion system to be configurable
    >> to call some shareable image or DCL procedure whenever an event occurs
    >> and provide it with the appropriate information.
    >>
    >> Then, sites could write code that implements their own policies. (for
    >> instance, adding a block for that IP at the router level, at the TCPIP
    >> stack level for X minutes, or sending a message to a pager etc etc).
    >>
    >> Of course, this isn't of much use for all of the TCPIP software that
    >> doesn't call the intrusion detection stuff and allow thousands of login
    >> attempts to go unlogged.

    >
    > I wrote a bit of code I called SSH PEER. It gets the remote IP address
    > of an SSH client and displays it in the ACCPORNAM field of the terminal.
    > It's some of my same technology which Process Software is using in Multi-
    > Net and TCPware. If HP won't add such capabilities to their SSH, I could
    > augment SSH_PEER with what you describe or even create a whole new beg of
    > code to implement this.


    Typically these attacks, as I have observed, do port scanning from some IP,
    that might lead to a strategy for detection.

    >




    --
    PL/I for OpenVMS
    www.kednos.com

  9. Re: SSH break-in attempts


    > > * It seems to me that a useful feature would be a per-IP-address
    > >connection limit. *I could easily live with no more than, say, 16 SSH
    > >connections from any particular IP address, and if an attacker hit that
    > >kind of limit, it would not interfere with connections coming from more

    >
    > I've adopted the routine for my TCPware stack, and added the suspects to a
    > command file which is executed on startup, and re-routes the IP addressesto
    > the bitbucket. *Downside: my routing table is getting bigger and bigger-
    > perhaps this will represent unwanted overhead on the IP stack?


    Perhaps you should look at automatically flushing the route tables
    similarly to some of the
    IDS software I've seen in the *nix world. It seems to me that even a
    deny for 30 mins
    would thwart many of the attacks - since 99% of what I've seen are
    from script-kiddies
    with brute-force methods.

    Joe

  10. Re: SSH break-in attempts

    In article , jferraro writes:
    >
    >> > =A0 It seems to me that a useful feature would be a per-IP-address
    >> >connection limit. =A0I could easily live with no more than, say, 16 SSH
    >> >connections from any particular IP address, and if an attacker hit that
    >> >kind of limit, it would not interfere with connections coming from more

    >>
    >> I've adopted the routine for my TCPware stack, and added the suspects to =

    >a
    >> command file which is executed on startup, and re-routes the IP addresses=

    > to
    >> the bitbucket. =A0Downside: my routing table is getting bigger and bigger=

    > -
    >> perhaps this will represent unwanted overhead on the IP stack?

    >
    >Perhaps you should look at automatically flushing the route tables
    >similarly to some of the
    >IDS software I've seen in the *nix world. It seems to me that even a
    >deny for 30 mins
    >would thwart many of the attacks - since 99% of what I've seen are
    >from script-kiddies
    >with brute-force methods.


    The simplest way to reduce (read, not eliminate) this is to move off
    of default port 22!



    --
    VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM

    .... pejorative statements of opinion are entitled to constitutional protection
    no matter how extreme, vituperous, or vigorously expressed they may be. (NJSC)

    Copr. 2008 Brian Schenkenberger. Publication of _this_ usenet article outside
    of usenet _must_ include its contents in its entirety including this copyright
    notice, disclaimer and quotations.

  11. Re: SSH break-in attempts

    On Sep 21, 2:50*am, H Vlems wrote:
    > On 21 sep, 07:32, s...@antinode.info (Steven M. Schweda) wrote:
    >
    >
    >
    > > * *SSH break-in attempts seem to be getting more frequent these days.
    > > I'm (still) using:

    >
    > > * HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 7
    > > * on a COMPAQ Professional Workstation XP1000 running OpenVMS V7.3-2

    >
    > > with an SSH service limit of 64, which helps to limit the duration of a
    > > typical attack, because the attackers appear to leave connections open
    > > long enough to hit the limit. *After an OPCOM message like: "INTERnet
    > > ACP SSH Reject Request - service limit - from Host: 210.48.157.82 Port:
    > > 45443", the attack ends, and then, over a period of some minutes, the
    > > connections are cleared out, so normal operation can resume.

    >
    > > * *With a higher service limit, the attacks run longer, wasting
    > > resources. *With a smaller limit, an attack becomes a (temporary) denial
    > > of service, until some of the connections dissipate.

    >
    > > * *It seems to me that a useful feature would be a per-IP-address
    > > connection limit. *I could easily live with no more than, say, 16 SSH
    > > connections from any particular IP address, and if an attacker hit that
    > > kind of limit, it would not interfere with connections coming from more
    > > legitimate sources.

    >
    > > * *Anyone else think that this might be useful? *(Or is it already in
    > > some new TCPIP version?)

    >
    > > ------------------------------------------------------------------------

    >
    > > * *Steven M. Schweda * * * * * * * sms@antinode-info
    > > * *382 South Warwick Street * * * *(+1) 651-699-9818
    > > * *Saint Paul *MN *55105-2547

    >
    > Interesting. My Digital Server 5305 has been turned on for two weeks
    > now and yesterday evening an
    > SSH attempt to logon on failed. I was using OPA0: so that's why I saw
    > the intrusion.
    > As it happens, I scan twice a month for login failures: ACC/SINCE=..../
    > TYPE=LOGFAIL/FULL
    > And learned that SSH intrusions are logged differently. Well, TELNET
    > intrusions happen two to four times
    > a month. But SSH intrusions happen twice a day; at least. TRACEROUTE
    > tells you interesting things, though.
    > About 30% comes from Russia, 20% from Asia, 10% is Europe and the
    > rest, believe it or not, from California !
    >
    > The message code returned by ACCOUNTING is %x1764CFBC, which I can't
    > translate to a text for some reason.


    That would be:

    $ @tools:trymsg %x1764CFBC

    From SYS$COMMON:[SYSMSG]TCPIP$MSG.EXE;1...

    %TCPIP-F-SSH_FATAL, non-specific fatal error condition

    $

    Not particularly helpful in this case, but at least it tells
    which facility issued the message.

    Trymsg.Com is something I happened upon long ago
    (the header says the author was Douglas A. Gordon
    of DEC and it was written 1988, although I added a
    small fix to it) which goes sequentially through all
    the message files in Sys$Message:, does a

    $ SET MESSAGE

    to each one in turn, and then tries to retrieve the text
    via F$Message. I find it particularly useful for BACKUP
    messages. ;-p

    -Ken

    P.S. Sorry to VAXMAN for the Q-P, but Google Groups
    is my sole newsgroups access on weekdays.



  12. RE: SSH break-in attempts



    > -----Original Message-----
    > From: Steven M. Schweda [mailto:sms@antinode.info]
    > Sent: September 21, 2008 1:33 AM
    > To: Info-VAX@Mvb.Saic.Com
    > Subject: SSH break-in attempts
    >
    > SSH break-in attempts seem to be getting more frequent these days.
    > I'm (still) using:
    >
    >...
    > It seems to me that a useful feature would be a per-IP-address
    > connection limit. I could easily live with no more than, say, 16 SSH
    > connections from any particular IP address, and if an attacker hit that
    > kind of limit, it would not interfere with connections coming from more
    > legitimate sources.
    >
    > Anyone else think that this might be useful? (Or is it already in
    > some new TCPIP version?)
    >...


    Your idea would be nice, but HP does not have it in their TCPIP product yet.

    Below is the TCPIP$SSH_HOME:LOGIN.COM that I use for both V5.6 and in T5.7.
    I find that I never get more than 6 to 9 login attempts using this procedure
    and the 6 - 9 attempts gives me enough evidence to send to the attacker's
    ISP.

    $! login.com for HP TCP/IP Services for OpenVMS auxiliary service
    $!
    $! Get the address of where they are coming from.
    $!
    $ sysrem_node = "''f$trnlnm("SYS$REM_NODE")'" - "::"
    $!
    $ set noon
    $!
    $! Let's check to see if we have seen this IP in the past 15 minutes
    $!
    $ search TCPIP$SSH_RUN.LOG;* 'sysrem_node /status /since=-00:15/output=nl:
    $ number_of_times = f$integer(SEARCH$RECORDS_MATCHED)
    $ wait_time = "00:00:00"
    $!
    $! If we have seen this IP in the past 15 minutes, then make them
    $! wait 1 second for every try we have.
    $!
    $ if number_of_times .gt. 0
    $ then
    $ set verify
    $ seconds = number_of_times * 1
    $ wait_time = f$fao("00:00:!2ZB",seconds)
    $! if seconds .gt. 10 then wait_time = "00:00:20"
    $! if seconds .gt. 20 then wait_time = "00:00:40"
    $! if seconds .gt. 30 then wait_time = "00:00:50"
    $! if seconds .gt. 40 then wait_time = "00:01:00"
    $ wait 'wait_time
    $ set noverify
    $ endif
    $!
    $ mail nl: spamtrap/subject=-
    "Someone logging into SSH! from ''sysrem_node' - waited ''wait_time'
    because of ''number_of_times' tries"
    $!
    $!
    $! To control the purging of .LOG files edit SYS$SYSTEM:TCPIP$SSH_RUN.COM
    $! I have modified SYS$SYSTEM:TCPIP$SSH_RUN.COM to keep any log created in
    $! the past 14 days.
    $!




    Peter Weaver
    www.weaverconsulting.ca www.openvmsvirtualization.com
    www.vaxvirtualization.com www.alphavirtualization.com
    Winner of the 2007 OpenVMS.org Readers' Choice Award for System
    Management/Performance


  13. Re: SSH break-in attempts


    schreef in bericht
    news:d7e8bd50-5b75-4985-b4bf-d231970c466b@g17g2000prg.googlegroups.com...
    On Sep 21, 2:50 am, H Vlems wrote:
    > On 21 sep, 07:32, s...@antinode.info (Steven M. Schweda) wrote:
    >
    >
    >
    > > SSH break-in attempts seem to be getting more frequent these days.
    > > I'm (still) using:

    >
    > > HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 7
    > > on a COMPAQ Professional Workstation XP1000 running OpenVMS V7.3-2

    >
    > > with an SSH service limit of 64, which helps to limit the duration of a
    > > typical attack, because the attackers appear to leave connections open
    > > long enough to hit the limit. After an OPCOM message like: "INTERnet
    > > ACP SSH Reject Request - service limit - from Host: 210.48.157.82 Port:
    > > 45443", the attack ends, and then, over a period of some minutes, the
    > > connections are cleared out, so normal operation can resume.

    >
    > > With a higher service limit, the attacks run longer, wasting
    > > resources. With a smaller limit, an attack becomes a (temporary) denial
    > > of service, until some of the connections dissipate.

    >
    > > It seems to me that a useful feature would be a per-IP-address
    > > connection limit. I could easily live with no more than, say, 16 SSH
    > > connections from any particular IP address, and if an attacker hit that
    > > kind of limit, it would not interfere with connections coming from more
    > > legitimate sources.

    >
    > > Anyone else think that this might be useful? (Or is it already in
    > > some new TCPIP version?)

    >
    > > ------------------------------------------------------------------------

    >
    > > Steven M. Schweda sms@antinode-info
    > > 382 South Warwick Street (+1) 651-699-9818
    > > Saint Paul MN 55105-2547

    >
    > Interesting. My Digital Server 5305 has been turned on for two weeks
    > now and yesterday evening an
    > SSH attempt to logon on failed. I was using OPA0: so that's why I saw
    > the intrusion.
    > As it happens, I scan twice a month for login failures: ACC/SINCE=..../
    > TYPE=LOGFAIL/FULL
    > And learned that SSH intrusions are logged differently. Well, TELNET
    > intrusions happen two to four times
    > a month. But SSH intrusions happen twice a day; at least. TRACEROUTE
    > tells you interesting things, though.
    > About 30% comes from Russia, 20% from Asia, 10% is Europe and the
    > rest, believe it or not, from California !
    >
    > The message code returned by ACCOUNTING is %x1764CFBC, which I can't
    > translate to a text for some reason.


    That would be:

    $ @tools:trymsg %x1764CFBC

    From SYS$COMMON:[SYSMSG]TCPIP$MSG.EXE;1...

    %TCPIP-F-SSH_FATAL, non-specific fatal error condition

    $

    Not particularly helpful in this case, but at least it tells
    which facility issued the message.

    Trymsg.Com is something I happened upon long ago
    (the header says the author was Douglas A. Gordon
    of DEC and it was written 1988, although I added a
    small fix to it) which goes sequentially through all
    the message files in Sys$Message:, does a

    $ SET MESSAGE

    to each one in turn, and then tries to retrieve the text
    via F$Message. I find it particularly useful for BACKUP
    messages. ;-p

    -Ken

    P.S. Sorry to VAXMAN for the Q-P, but Google Groups
    is my sole newsgroups access on weekdays.



    Ken, where is TRYMSG.COM to be found, freeware cd?
    Hans



  14. Re: SSH break-in attempts

    Peter Weaver wrote:

    > Below is the TCPIP$SSH_HOME:LOGIN.COM that I use for both V5.6 and in T5.7.
    > I find that I never get more than 6 to 9 login attempts using this procedure


    Thank you very much! This is just what I need to preserve my sanity
    from all the script kiddies trying to break in. :-) I have already
    implemented it.

    Alan Frisbie

  15. Re: SSH break-in attempts

    Peter Weaver wrote:

    > ...
    > $! Let's check to see if we have seen this IP in the past 15 minutes
    > $!
    > $ search TCPIP$SSH_RUN.LOG;* 'sysrem_node /status /since=-00:15/output=nl:


    I have never seen the /Status switch on Search before, nor do I find
    any mention of it in the Help or DCL Dictionary entry for Search.
    How did you learn of it? Where is it documented?

    Do you have a similar clever procedure for FTP access attempts?

    Thanks,
    Alan Frisbie

  16. Re: SSH break-in attempts

    Alan Frisbie wrote:
    > Peter Weaver wrote:
    >
    > > ...
    >> $! Let's check to see if we have seen this IP in the past 15 minutes
    >> $!
    >> $ search TCPIP$SSH_RUN.LOG;* 'sysrem_node /status
    >> /since=-00:15/output=nl:

    >
    > I have never seen the /Status switch on Search before,


    There isn't any. Should be /STATISTICS.
    On 8.3 /STATISTICS now creates a few symbols...


  17. Re: SSH break-in attempts

    "Alan Frisbie" wrote in message
    news:tL2dnZrIaL-P7ETVnZ2dnUVZ_vjinZ2d@supernews.com...
    > Peter Weaver wrote:
    >
    > > ...
    >> $! Let's check to see if we have seen this IP in the past 15 minutes
    >> $!
    >> $ search TCPIP$SSH_RUN.LOG;* 'sysrem_node /status
    >> /since=-00:15/output=nl:

    >
    > I have never seen the /Status switch on Search before, nor do I find
    > any mention of it in the Help or DCL Dictionary entry for Search.
    > How did you learn of it? Where is it documented?
    >
    > Do you have a similar clever procedure for FTP access attempts?
    >
    > Thanks,
    > Alan Frisbie



    On OpenVMS/VAX V7.1

    $ help search/stat

    SEARCH

    /STATISTICS

    /STATISTICS
    /NOSTATISTICS (default)

    Controls whether the following statistics about the search are
    displayed:

    o Number of files searched

    o Number of records searched

    o Number of characters searched

    o Number of records matched

    o Number of lines printed

    o Buffered I/O count

    o Direct I/O count

    o Number of page faults

    o Elapsed CPU time

    o Elapsed time



    Topic?


  18. RE: SSH break-in attempts

    >...
    > > I have never seen the /Status switch on Search before,

    >
    > There isn't any. Should be /STATISTICS.
    > On 8.3 /STATISTICS now creates a few symbols...


    Right, and the first time I posted this code someone pointed out this same
    error. I finally corrected the error so I won't confuse anyone the next time
    I post this LOGIN.COM.

    Peter Weaver
    www.weaverconsulting.ca www.openvmsvirtualization.com
    www.vaxvirtualization.com www.alphavirtualization.com
    Winner of the 2007 OpenVMS.org Readers' Choice Award for System
    Management/Performance


  19. Re: SSH break-in attempts

    "Alan Frisbie" wrote in message news:tL2dnZrIaL-P7ETVnZ2dnUVZ_vjinZ2d@supernews.com...
    > Peter Weaver wrote:
    >
    > > ...
    >> $! Let's check to see if we have seen this IP in the past 15 minutes
    >> $!
    >> $ search TCPIP$SSH_RUN.LOG;* 'sysrem_node /status /since=-00:15/output=nl:

    >
    > I have never seen the /Status switch on Search before, nor do I find
    > any mention of it in the Help or DCL Dictionary entry for Search.
    > How did you learn of it? Where is it documented?


    DCL uses only the first four characters of verbs and qualifiers at maximum.
    Try HELP SEAR /STAT

    See below for more of those undocumented features of OpenVMS from an old article in this newsgroup.

    Fred.Zwarts.

    The Uniform Resource Locator for this document is:
    news:01HAUWC54VWY8WVZ3S@kopc.hhs.dk

    Arne Vajhoej

    Re: Undocumented VMS commands

    Wed, 06 Apr 1994 14:32:02 +0100 Info-Vax<==>Comp.Os.Vms Gateway

    Newsgroups:
    comp.os.vms

    > The following is a partial list of undocumented DCL commands and some
    > descriptions which were gleaned from comments in the source code.


    > Please note that all the above commands are ENTIRELY unsupported. PLEASE
    > DO NOT ATTEMPT to use them on a production system, unless you really know
    > what you are doing. If in doubt, consider the following hints:
    >
    > 1. Why does the undocumented command EDITOR manage to bypass your
    > definition of the EDIT symbol ?
    >
    > 2. What is the date on this article ?
    >
    > I TAKE NO RESPONSIBILITY FOR ANYTHING THAT HAPPENS. YOU HAVE BEEN WARNED.


    The carefull reader must have observed that the article is posted close
    to april first (second hint) and that date is somewhat suspicious. But I did
    actually first receive it april fifth (bad net connection somewhere). And not
    everyone knows that DCL verbs and qualifiers are only significant for the
    first 4 characters (first hint above).

    So here is a translation for those who wondered.

    > -------------------------------------------------------------------
    > ALLOW
    >
    > Allows shared access to a device. If the device is in use, users are queued
    > until the device becomes free. For example, if you have a heavily used
    > tape drive, you should place the command ALLOW MUA0 in your LOGIN.COM file.


    ALLOW --> ALLOcate

    > ------------------------------------------------------------------
    > SET LOG /INTERPRET=1
    >
    > Turns on logging interpretation for batch log files. Note that if you have
    > a large number of users on your machine, you can greatly improve performance by
    > issuing a SET LOG/INTERPRET=0 command.


    SET LOG /INTERPRET --> SET LOG /INTEractive

    > -------------------------------------------------------------------
    > DELEGATE
    >
    > The DELEGATE command specifies that the quota charges for the specified
    > files be charged to the system rather than to the file owner. For example.
    >
    > $ SHOW QUOTA
    > User [T_WADE] has 101667 blocks used, 98333 available,
    > of 200000 authorized and permitted overdraft of 0 blocks on US$
    > $
    > $ DELEGATE *.*;*
    > $ SHOW QUOTA
    > User [T_WADE] has 0 blocks used, 200000 available,
    > of 200000 authorized and permitted overdraft of 0 blocks on US$


    DELEGATE --> DELEte

    > -------------------------------------------------------------------
    > INITIATE
    >
    > The INITIATE command initiates a deferred backup of the specified device,
    > at the time specified. For example, if all your user files are on DUA1,
    > you should issue:
    >
    > $ INITIATE DUA1: TOMORROW


    INITIATE --> INITialize

    > -------------------------------------------------------------------
    > INSTRUCT [qualifier]
    >
    > The INSTRUCT command is a security enhancement, which instructs a backup copy
    > to be made of any file being moved using the MOVEFILE primitive. For example,
    > you can increase the security of your file system by issuing:
    >
    > $ INSTRUCT REPLACE COPY /PRIVATE=BYPASS
    >
    > (bypassing private MOVEFILE operations).


    INSTRUCT --> INSTall

    > -------------------------------------------------------------------
    > LICE utility (Linkable Interpreted Command Environment)
    >
    > This utility allows the system manager to link in customized command
    > interpreters into various utilities. For example
    >
    > $ LICE DISABLE VAX-VMS
    >
    > will disable any customization of the standard VMS commands, which is
    > recommended.


    LICE --> LICEnse

    > -------------------------------------------------------------------
    > REQUIRE
    >
    > The REQUIRE command allocates a particular resource name to your system.
    > You then identify which .EXE files are to be associated with that resource
    > by issuing a PRINCIPAL command. These .EXE then assume the resource when
    > they are running. E.g.
    >
    > $ REQUIRE "GIMME_PAPER" /noreplicate
    > $ PRINCIPAL SYS$SYSTEM:*.EXE


    REQUIRE --> REQUest
    PRINCIPAL --> PRINt

    > -------------------------------------------------------------------
    > SET TERMINAL /LOCATE
    >
    > The SET TERMINAL qualify /LOCATE will return the current location of the
    > terminal. Note: if the terminal refuses to output anything, then it means that
    > your system manager has an active `spy' process on your terminal, which
    > is logging all your output to a file. If this happens, you should complain
    > to your system manager.


    SET TERM /LOCATE --> SET TERM /LOCAl_echo

    BTW, now we are on the topic ! From the VMS 5.2 release notes section 2.4.1:

    DCL currently checks only the first four characters of command verbs
    and qualifiers. Because of the continuing growth in the number of VMS
    product that use DCL command syntax, VMS is considering a change in
    which four characters may not be enough to identify all verbs or
    qualifiers.

    So do not rely too much on this feature, if the VMS people someday should
    decide to take action as described above.

    Arne

    Arne Vajh°j local DECNET: KO::ARNE
    Computer Department PSI: PSI%238310013040::ARNE
    Business School of Southern Denmark Internet: ARNE@KO.HHS.DK





  20. Re: SSH break-in attempts

    Here's trymsg.com.

    Jur.

    $ Verif = 'F$Verify(0)
    $ If "''P1'" .nes. "" Then $ Goto Start_1
    $ Inquire P1 "Enter message code"
    $ If P1 .eqs. "" Then $ Goto Start
    $Start_1:
    $ Found = 0
    $ Msgfil = ""
    $Loop:
    $ Junk = F$Message(P1)
    $ If F$Extract(0,7,Junk) .Eqs. "%NONAME" Then Goto Next_File
    $ If F$Locate("-NOMSG",Junk) .Ne. F$Length(Junk) Then Goto Next_File
    $ If Msgfil .eqs. "" Then $ Goto No_File
    $ Write Sys$Output ""
    $ Write Sys$Output "From ''Msgfil'..."
    $No_File:
    $ Write Sys$Output ""
    $ Write Sys$Output Junk
    $ Write Sys$Output ""
    $! Found = 1
    $! Goto Exit
    $Next_File:
    $ Msgfil = F$Search("Sys$Message:*.Exe")
    $ If Msgfil .Eqs. "" Then Goto Exit
    $ Set Message 'Msgfil'
    $write sys$output "File: ",msgfil
    $ Goto Loop
    $Exit:
    $ If .Not. Found Then Write Sys$Output "No message found for ",P1
    $ Exit 1 + (0 * F$Verify(Verif))


    H Vlems wrote:
    >>

    > Ken, where is TRYMSG.COM to be found, freeware cd?
    > Hans
    >
    >


+ Reply to Thread
Page 1 of 3 1 2 3 LastLast