HPE Community
Operating System - OpenVMS
1753905 Members
9900 Online
108810 Solutions
New Discussion юеВ

Question on intrusions

 
SOLVED
Go to solution
roose
Regular Advisor

тАО11-08-2006 01:12 PM

тАО11-08-2006 01:12 PM

Question on intrusions

Hi folks, just wanted to verify: when can a source be designated as suspect or as an intruder? I have just seen on our system 21 counts for a specific IP address but flagged as suspect and 6 counts for another IP address but already flagged as intruder.

We are running OpenVMS 7.3-1 and TCP/IP v5.3 ECO4.
0 Kudos
7 REPLIES 7
Karl Rohwedder
Honored Contributor

тАО11-08-2006 04:42 PM

тАО11-08-2006 04:42 PM

Re: Question on intrusions

Bruce Claremont did a nice writeup, of the LGI parameter which control this behaviour.
See here:

http://www.migrationspecialties.com/pdf/SYSGEN%20Login%20Parameters.pdf

regards Kalle
0 Kudos
roose
Regular Advisor

тАО11-08-2006 05:49 PM

тАО11-08-2006 05:49 PM

Re: Question on intrusions

Hi Kalle,

Thanks for the link.

The information from Bruce's write-up does provide the explanation for the LGI parameters, but I still don't see how a source is flagged as suspect or intruder? I can see that it must have to do with the LGI_BRK_LIM and LGI_HID_TIM parameters, but the description on these parameters only says about "evasive action". Again, I'm hoping to look for an explanation why a count of 21 can only be flagged as suspect, but a 6 is already an intruder.

I'm attaching our system's LGI parameters for reference.
0 Kudos
Karl Rohwedder
Honored Contributor

тАО11-08-2006 08:17 PM

тАО11-08-2006 08:17 PM

Re: Question on intrusions

I noticed you set LGI_BTK_TERM to 1 (default), so that the terminal port is used to check for intrusions. I prefer to set it to 0.
Can you post a SHOW INTRUSION ?

regard Kalle
0 Kudos
roose
Regular Advisor

тАО11-08-2006 08:20 PM

тАО11-08-2006 08:20 PM

Re: Question on intrusions

Hi Kalle,

Here's the output earlier when I was doing my daily checks. I already have removed the intrusion as it was affecting some of our production users.

Thanks, Roose.
0 Kudos
EdgarZamora
Trusted Contributor

тАО11-09-2006 01:04 AM

тАО11-09-2006 01:04 AM

Solution

Re: Question on intrusions


The relevant parameters for your question are LGI_BRK_TMO (set at 300 secs.), LGI_BRK_LIM (set at 5 tries), and LGI_HID_TIM (set at 600 secs.)

Every time a user has a login failure, his (or her) expiration time is incremented by LGI_BRK_TMO. If he exceeds LGI_BRK_LIM attempts within the expiration period he is declared an intruder and evasion is in effect. Evasion means he won't be able to successfully login even if he provides the correct username and password. In your case this does not apply because you DISUSER the account anyway (LGI_NRK_DISUSER).

So the reason why you see an INTRUDER after 6 counts is because he exceeded the limit of 5 within his expiration period. The most likely reason you see a "suspect" with 21 counts is because he was declared an intruder previously and your hide time is low (10 minutes) and after 10 minutes he drops down from intruder to suspect and the count is not reset. I would say he's been rising to intruder and dropping to suspect a number of times for some period of time.

Hope that helps.
0 Kudos
EdgarZamora
Trusted Contributor

тАО11-09-2006 01:14 AM

тАО11-09-2006 01:14 AM

Re: Question on intrusions


Oops just noticed a typo, LGI_NRK_DISUSER should be LGI_BRK_DISUSER.

Also forgot to mention the more likely possibility that the user was very tenacious in trying to login, after he was declared an intruder he kept trying to login thereby inflating his count to 21. After he stopped trying and time elapsed he dropped down to suspect and that's probably around the time you did a SHOW INTRUSION.

You should reconsider your use of DISUSER and/or your low HIDE time depending on your security requirements.

0 Kudos
roose
Regular Advisor

тАО11-09-2006 12:20 PM

тАО11-09-2006 12:20 PM

Re: Question on intrusions

Hi Edgar,

I believe the information you gave me is the one I am looking for.

Thanks as well to Kalle for his information.

I am closing this case now.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.