?? I replied to this message yesterday - lost in the web?
First of all Scott is correct about changing the system parameter, but it needs a WRITE command. I also advise always using an explicit USE command before changing anything, just to make sure you know what you're changing:
$ MCR SYSGEN
SYSGEN> USE ACTIVE
SYSGEN> SET LGI_BRK_TERM 0
SYSGEN> WRITE ACTIVE
SYSGEN> EXIT
An alternative is to define the system logical name:
$ DEFINE/SYSTEM/EXEC TCPIP$TELNET_NO_REM_ID TRUE
Note that this will effectively disable intrusion detection for ALL telnet connections. Please make sure you understand the full security implications.
Another possibility is to raise the intrusion threshold high enough so users aren't affected. Increase LGI_BRK_LIM to set the number of attempts before a suspect becomes an intruder. The default of 5 is probably a bit low for the real world anyway. How many people's passwords are so obvious that someone could guess it in less than 5 attempts?
For a small number of nodes, or a "trusted" subnet, you can have a periodic job to clear intrusion records. Remember that DELETE/INTRUSION works with wildcards. So:
GOODGUYS.COM
$ SET NOON
$ Loop: DELETE/INTRUSION "10.140.0.*"
$ WAIT 00:02:00.00 ! 2 minutes
$ GOTO Loop
Run this in batch from the SYSTEM during startup.
This will regularly clear your intrusion data base of any records from your immediate subnet, but leave anything else. I'd recommend reviewing your audit journal on a regular basis, to make sure this doesn't mask any real intrusion attempts.
Adjust the source string and delay time to suit your requirements. Consider that you need several attempts before becoming an intruder. By adjusting the time delay and LGI_BRK_LIM you should be able to strike a good balance between security and preventing the unintended denial of service.
Again, before doing any of these things, make sure you understand your realistic security risks and how any changes will affect them.
A crucible of informative mistakes
