HPE Community
Operating System - OpenVMS
1752790 Members
6521 Online
108789 Solutions
New Discussion юеВ

Applying a wait after authorization failures during log-on

 
SOLVED
Go to solution
Dave Laurier
Frequent Advisor

тАО04-03-2006 10:19 PM

тАО04-03-2006 10:19 PM

Applying a wait after authorization failures during log-on


Hi,

I want to define a minimum time for the log-on procedure in order to limit the speed of brute-force attacks. So I want to define a wait after the system has responded with "User authorization failure".

I know that the maximum time-out for a user to enter his username and password can be modified with the SYSGEN parameter LGI_PWD_TMO. However I want to do the oposite, define a waiting time after authorization failures.

I also know that there are other parameters for this such as the following, however they seem not to do what I want. The LGI_BRK_TMO comes close but this waiting time is only effective after some-one is locked out, right?

LGI_BRK_LIM
LGI_HID_TIM
LGI_BRK_TMO

Regards,

Dave Laurier
0 Kudos
7 REPLIES 7
Robert Gezelter
Honored Contributor

тАО04-03-2006 10:44 PM

тАО04-03-2006 10:44 PM

Re: Applying a wait after authorization failures during log-on

Dave,

The OpenVMS support for "evasive action" will block logins for a limited amount of time, which is the behavior that you probably desire.

I suggest that you review the writeup in Chapter 7 of the "OpenVMS Guide to System Security", particularly the section on the Intrusion Database (pp 157, et seq.), particularly the comments about the various LGI_* parameters (pp 159, et seq.).

I hope that the above is helpful.

- Bob Gezelter, http://www.rlgsc.com
0 Kudos
Karl Rohwedder
Honored Contributor

тАО04-03-2006 11:14 PM

тАО04-03-2006 11:14 PM

Re: Applying a wait after authorization failures during log-on

In addition to Roberts advice, be sure to clear
the LGI_BRK_TERM parameter, so that LOGINOUT can detect breakin attempts across different terminal names.

regards Kalle
0 Kudos
Dave Laurier
Frequent Advisor

тАО04-03-2006 11:31 PM

тАО04-03-2006 11:31 PM

Re: Applying a wait after authorization failures during log-on


Hi guys,

Thanks for the suggestions, however my intentions are different.

I want to have a defined time-frame between two authorization attempts.

I know I can configure things such that the user is blocked at the first failed authorization attempt and that there can be a wait time-frame then.

However I would like to configure things such that for instance a user is locked out for 10 minutes after 5 failed authorization attempts and in between the failed authorization attempts I want to wait 10 seconds before providing the login prompt again.

This could result in 5 x 10 seconds delay and then 10 minutes lock out.

Regards,

Dave
0 Kudos
Kris Clippeleyr
Honored Contributor

тАО04-04-2006 12:16 AM

тАО04-04-2006 12:16 AM

Solution

Re: Applying a wait after authorization failures during log-on

Dave,

I think you have to write a LOGINOUT callout, as described in the Utility Routines Manual, chapter 14.
Take a good look at the example.
The "callout_authenticate" routine in the example looks promising. Upon failure to authenticate, you could write a LIB$WAIT before returning to LOGINOUT.EXE.

Regards,
Kris (aka Qkcl)
I'm gonna hit the highway like a battering ram on a silver-black phantom bike...
0 Kudos
Dave Laurier
Frequent Advisor

тАО04-04-2006 12:29 AM

тАО04-04-2006 12:29 AM

Re: Applying a wait after authorization failures during log-on


Hi Kris,

This looks promising indeed! I think this functionality will allow me to customize the login procedure to my needs.

Thanks!

Dave Laurier
0 Kudos
Dave Laurier
Frequent Advisor

тАО04-04-2006 12:48 AM

тАО04-04-2006 12:48 AM

Re: Applying a wait after authorization failures during log-on


Indeed this may do what I was looking for although it requires writing the software instead of simply configuring the functionality. However, that is not a problem as I have been programming C for quite some time on OpenVMS.

Those that read this thread in the future may be interested in the functionality behind LOGINOUT:

The OpenVMS login security program (LOGINOUT.EXE) supports calls to site-specific routines (LOGINOUT callout routines). These callout routines support custom login security programs such as smart card programs, pocket authenticator programs, and other alternative identification and authentication programs. The callout routines permit sites to combine portions of the LOGINOUT security policy functions with site login security functions to establish a customized login security environment.
0 Kudos
Dave Laurier
Frequent Advisor

тАО04-04-2006 12:49 AM

тАО04-04-2006 12:49 AM

Re: Applying a wait after authorization failures during log-on


Adapted solution for this problem is to write a site specific LOGINOUT call-out routine.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.