- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Question on intrusions
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-08-2006 01:12 PM
тАО11-08-2006 01:12 PM
We are running OpenVMS 7.3-1 and TCP/IP v5.3 ECO4.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-08-2006 04:42 PM
тАО11-08-2006 04:42 PM
Re: Question on intrusions
See here:
http://www.migrationspecialties.com/pdf/SYSGEN%20Login%20Parameters.pdf
regards Kalle
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-08-2006 05:49 PM
тАО11-08-2006 05:49 PM
Re: Question on intrusions
Thanks for the link.
The information from Bruce's write-up does provide the explanation for the LGI parameters, but I still don't see how a source is flagged as suspect or intruder? I can see that it must have to do with the LGI_BRK_LIM and LGI_HID_TIM parameters, but the description on these parameters only says about "evasive action". Again, I'm hoping to look for an explanation why a count of 21 can only be flagged as suspect, but a 6 is already an intruder.
I'm attaching our system's LGI parameters for reference.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-08-2006 08:17 PM
тАО11-08-2006 08:17 PM
Re: Question on intrusions
Can you post a SHOW INTRUSION ?
regard Kalle
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-08-2006 08:20 PM
тАО11-08-2006 08:20 PM
Re: Question on intrusions
Here's the output earlier when I was doing my daily checks. I already have removed the intrusion as it was affecting some of our production users.
Thanks, Roose.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-09-2006 01:04 AM
тАО11-09-2006 01:04 AM
SolutionThe relevant parameters for your question are LGI_BRK_TMO (set at 300 secs.), LGI_BRK_LIM (set at 5 tries), and LGI_HID_TIM (set at 600 secs.)
Every time a user has a login failure, his (or her) expiration time is incremented by LGI_BRK_TMO. If he exceeds LGI_BRK_LIM attempts within the expiration period he is declared an intruder and evasion is in effect. Evasion means he won't be able to successfully login even if he provides the correct username and password. In your case this does not apply because you DISUSER the account anyway (LGI_NRK_DISUSER).
So the reason why you see an INTRUDER after 6 counts is because he exceeded the limit of 5 within his expiration period. The most likely reason you see a "suspect" with 21 counts is because he was declared an intruder previously and your hide time is low (10 minutes) and after 10 minutes he drops down from intruder to suspect and the count is not reset. I would say he's been rising to intruder and dropping to suspect a number of times for some period of time.
Hope that helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-09-2006 01:14 AM
тАО11-09-2006 01:14 AM
Re: Question on intrusions
Oops just noticed a typo, LGI_NRK_DISUSER should be LGI_BRK_DISUSER.
Also forgot to mention the more likely possibility that the user was very tenacious in trying to login, after he was declared an intruder he kept trying to login thereby inflating his count to 21. After he stopped trying and time elapsed he dropped down to suspect and that's probably around the time you did a SHOW INTRUSION.
You should reconsider your use of DISUSER and/or your low HIDE time depending on your security requirements.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-09-2006 12:20 PM
тАО11-09-2006 12:20 PM
Re: Question on intrusions
I believe the information you gave me is the one I am looking for.
Thanks as well to Kalle for his information.
I am closing this case now.