- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: tcpip$telnet_trust_location
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-24-2006 12:27 PM
тАО07-24-2006 12:27 PM
tcpip$telnet_trust_location
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-24-2006 01:28 PM
тАО07-24-2006 01:28 PM
Re: tcpip$telnet_trust_location
TCPIP$TELNET_TRUST_LOCATION is an existence logical name. The value doesn't matter, just if it's defined or not. By convention you would define it to "TRUE":
$ DEFINE/SYSTEM/EXEC TCPIP$TELNET_TRUST_LOCATION TRUE
This tells TELNET to "trust" the location information sent from the remote host in identifying the source of the incoming connection. This means password failures from incoming telnet sessions can be more accurately logged for audit & intrusion detection.
The intention is to get around the issue of an intrusion detection on a single port on a terminal server blocking accesses from other ports. Instead of the intrusion source being based solely on the IP address of the server, it will be qualified by the port name.
Of course, it requires the remote host to actually SEND location information. I think it's only DECservers and other OpenVMS hosts that do so. It also means that a hacker could potentially defeat intrusion detection by sending bogus location information when attempting a dictionary attack against your node.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-24-2006 01:42 PM
тАО07-24-2006 01:42 PM
Re: tcpip$telnet_trust_location
BTW, if you're having the problem of multiple users from a remote host being blocked by one user reaching intrusion threshold for failed login attempts, I believe a more secure solution is to raise the threshold.
The default LGI_BRK_LIM is 5, which, in my opinion is WAY too low. It means that most intrusion detections are false alarms. Just ordinary users persistently typing the (acidental) wrong password too many times.
Suppose you have a 16 port terminal server. Raising GLI_BRK_LIM to (say) 50 will allow each of your users 3 failed login attempts within the LGI_BRK_TMO window before the terminal server is blocked.
In terms of security, the difference between 5 and 50 attempts really doesn't matter in terms of detecting a true brute force or dictionary attack against your system. Even the most lax password policies should survive 50 random probes. On the other hand if you ever do see an intrusion detection, it's more than likely real (even the dumbest of dumb users isn't persistent enough to retry their incorrect password 50 times!). I would therefore argue that the higher value is MORE secure, because a real attack is less likely to get lost amongst the false alarms.
If you have especially paranoid auditors, you may be able to find a smaller number that is high enough that your users don't hit it (or at least very rarely) but low enough to keep the auditor happy.
Note that this solution eliminates the potential hole of crackers sending bogus location information to hide their attack, and it works for ALL host types, not just the ones that know about the OpenVMS extensions to telnet protocol.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-25-2006 02:13 AM
тАО07-25-2006 02:13 AM
Re: tcpip$telnet_trust_location
rob.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-25-2006 02:14 AM
тАО07-25-2006 02:14 AM
Re: tcpip$telnet_trust_location
worked, thanks.