topic Re: Question on intrusions in Operating System - OpenVMS

Question on intrusions

roose — Wed, 08 Nov 2006 21:12:26 GMT

Hi folks, just wanted to verify: when can a source be designated as suspect or as an intruder? I have just seen on our system 21 counts for a specific IP address but flagged as suspect and 6 counts for another IP address but already flagged as intruder.

We are running OpenVMS 7.3-1 and TCP/IP v5.3 ECO4.

Re: Question on intrusions

Karl Rohwedder — Thu, 09 Nov 2006 00:42:38 GMT

Bruce Claremont did a nice writeup, of the LGI parameter which control this behaviour.
See here:

http://www.migrationspecialties.com/pdf/SYSGEN%20Login%20Parameters.pdf

regards Kalle

Re: Question on intrusions

roose — Thu, 09 Nov 2006 01:49:34 GMT

Hi Kalle,

Thanks for the link.

The information from Bruce's write-up does provide the explanation for the LGI parameters, but I still don't see how a source is flagged as suspect or intruder? I can see that it must have to do with the LGI_BRK_LIM and LGI_HID_TIM parameters, but the description on these parameters only says about "evasive action". Again, I'm hoping to look for an explanation why a count of 21 can only be flagged as suspect, but a 6 is already an intruder.

I'm attaching our system's LGI parameters for reference.

Re: Question on intrusions

Karl Rohwedder — Thu, 09 Nov 2006 04:17:37 GMT

I noticed you set LGI_BTK_TERM to 1 (default), so that the terminal port is used to check for intrusions. I prefer to set it to 0.
Can you post a SHOW INTRUSION ?

regard Kalle

Re: Question on intrusions

roose — Thu, 09 Nov 2006 04:20:46 GMT

Hi Kalle,

Here's the output earlier when I was doing my daily checks. I already have removed the intrusion as it was affecting some of our production users.

Thanks, Roose.

Re: Question on intrusions

EdgarZamora — Thu, 09 Nov 2006 09:04:25 GMT

The relevant parameters for your question are LGI_BRK_TMO (set at 300 secs.), LGI_BRK_LIM (set at 5 tries), and LGI_HID_TIM (set at 600 secs.)

Every time a user has a login failure, his (or her) expiration time is incremented by LGI_BRK_TMO. If he exceeds LGI_BRK_LIM attempts within the expiration period he is declared an intruder and evasion is in effect. Evasion means he won't be able to successfully login even if he provides the correct username and password. In your case this does not apply because you DISUSER the account anyway (LGI_NRK_DISUSER).

So the reason why you see an INTRUDER after 6 counts is because he exceeded the limit of 5 within his expiration period. The most likely reason you see a "suspect" with 21 counts is because he was declared an intruder previously and your hide time is low (10 minutes) and after 10 minutes he drops down from intruder to suspect and the count is not reset. I would say he's been rising to intruder and dropping to suspect a number of times for some period of time.

Hope that helps.

Re: Question on intrusions

EdgarZamora — Thu, 09 Nov 2006 09:14:52 GMT

Oops just noticed a typo, LGI_NRK_DISUSER should be LGI_BRK_DISUSER.

Also forgot to mention the more likely possibility that the user was very tenacious in trying to login, after he was declared an intruder he kept trying to login thereby inflating his count to 21. After he stopped trying and time elapsed he dropped down to suspect and that's probably around the time you did a SHOW INTRUSION.

You should reconsider your use of DISUSER and/or your low HIDE time depending on your security requirements.

Re: Question on intrusions

roose — Thu, 09 Nov 2006 20:20:35 GMT

Hi Edgar,

I believe the information you gave me is the one I am looking for.

Thanks as well to Kalle for his information.

I am closing this case now.