- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: VMS intruder from telnet session
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-17-2004 03:46 AM
тАО11-17-2004 03:46 AM
VMS intruder from telnet session
Sourcee > Node::TELNET_AC103B05
----------------------------------
VMS V7.1 the port number change after login failure, and the intrusion mechanism don't detect an intruder from an incoming telnet session.
Host: 172.16.10.10 Port: 1440:USER
-----------------------------------
We can't upgrade VMS......
Is a way to use the intrusion mechanism with VMS 7.1 ?
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-17-2004 04:52 AM
тАО11-17-2004 04:52 AM
Re: VMS intruder from telnet session
Welcome to the VMS forum.
This is an TCPIP issue. Can you tell us the version of TCPIP? Symply do:
$ UCX SHOW VERSION
Bojan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-17-2004 05:16 AM
тАО11-17-2004 05:16 AM
Re: VMS intruder from telnet session
Bojan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-17-2004 05:17 AM
тАО11-17-2004 05:17 AM
Re: VMS intruder from telnet session
Parameters
LGI_BRK_TERM
LGI_BRK_TERM causes the terminal name to be part of the
association string for the terminal mode of break-in detection.
When off (0), association is done on user name only. LGI_BRK_
TERM is set by default (1). It should be cleared if physical
terminal names are created dynamically (that is, if LAT is
installed) and effective break-in detection is desired.
LGI_BRK_TERM is a DYNAMIC parameter.
Purely Personal Opinion
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-17-2004 07:50 AM
тАО11-17-2004 07:50 AM
Re: VMS intruder from telnet session
Although you can change the behaviour by clearing LGI_BRK_TERM, the source is then listed as you've shown "Node::TELNET_AC103B05". The hex string is an encoded IP address. Unfortunately TELNET protocol does not include the source username, so the intrusion looks the same for all attempts from the same NODE, regardless of the source user.
This means a single user can drive the node into INTRUDER status, and block connections from ALL users coming from that node. This might not be a problem, for example, if all your incoming telnet sessions are from PCs. But it WILL be a problem in some environments.
If you're going to clear LGI_BRK_TERM, it may be worth thinking about increasing LGI_BRK_LIM (ie: the threshold for a suspect becoming an intruder). Setting it up from the default of 5 to (say) 25, will reduce the chances of a single user with a bad memory blocking access from the whole node (5 retries is "reasonable", but I'd question the sanity of anyone who retries a password 25 times!). Sure this slightly reduces your protection against brute force attacks on your system, but then with half decent password policies, there's not much different between a dictionary attack of 5 and one with 25.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-17-2004 09:53 PM
тАО11-17-2004 09:53 PM
Re: VMS intruder from telnet session
An intruder can reboot (or simply restart the TCPIP services). So his IP address changes. Doing so he obtain more retries and he can drive many IP addresses into intruder status.
Bojan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-22-2004 02:59 AM
тАО11-22-2004 02:59 AM
Re: VMS intruder from telnet session
With LGI_BRK_TERM to 0 we have a response to our need.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-22-2004 03:09 AM
тАО11-22-2004 03:09 AM
Re: VMS intruder from telnet session
With LGI_BRK_TERM to 0 we have a response to our need