HPE Community
Operating System - OpenVMS
1823415 Members
2525 Online
109655 Solutions
New Discussion юеВ

HOWTO track failed logins in VMS

 
Steve Longenecker
Frequent Advisor

тАО10-16-2004 02:51 AM

тАО10-16-2004 02:51 AM

HOWTO track failed logins in VMS

I need to track failed VMS login attempts for accounts that DO NOT exist on a VMS server. In the UNIX world "lastb" would do the trick, but with VMS I am at a loss. I tried accounting, but all it logs is a LOGFAIL with in the Username column. Any suggestions?
0 Kudos
Reply
8 REPLIES 8
Antoniov.
Honored Contributor

тАО10-16-2004 03:11 AM

тАО10-16-2004 03:11 AM

Re: HOWTO track failed logins in VMS

AFAIK the command is
$ account /since=/type=logfail
example
$ account /since=1-oct-2004/type=logfail

Antonio Vigliotti
Antonio Maria Vigliotti
0 Kudos
Reply
Steve Longenecker
Frequent Advisor

тАО10-16-2004 03:33 AM

тАО10-16-2004 03:33 AM

Re: HOWTO track failed logins in VMS

Antonio, I already tried "account /since=/type=logfail", but the Username column only lists if the username does not exist in UAF. If the username does exist in UAF, then accounting provides the username for the failed login as expected.

In the UNIX world, "lastb" logs the username for all failed login attempts whether or not the username exists on the server. I need something similar for VMS, but I don't recall ever seeing this functionality.
0 Kudos
Reply
Bob Blunt
Respected Contributor

тАО10-16-2004 03:37 AM

тАО10-16-2004 03:37 AM

Re: HOWTO track failed logins in VMS

Steve, depending on your VMS version, you should probably check how security auditing is setup on your system. $ SHOW AUDIT will show how it's configured. This will also show the file used for saving those entries. To review them, use $ ANALYZE AUDIT (and qualifiers).

Both commands are documented in $ HELP.
0 Kudos
Reply
Steve Longenecker
Frequent Advisor

тАО10-16-2004 03:55 AM

тАО10-16-2004 03:55 AM

Re: HOWTO track failed logins in VMS

Bob, I tried analyze/audit as well. But all it also logs "" under "Username:", along with "%LOGIN-F-NOSUCHUSER, no such user" under "Status:". I need to know what what Username was used to trigger NOSUCHUSER.
0 Kudos
Reply
Antoniov.
Honored Contributor

тАО10-16-2004 04:17 AM

тАО10-16-2004 04:17 AM

Re: HOWTO track failed logins in VMS

Steve,
means login failure within wrong user. Analyze/audit can give you more information; for example follow command type login failure of user ANTONIOV:
$ ANALYZE/AUDIT/SINC=1-OCT-2004-
/EVENT=LOGFAIL/SELE=(USER=ANTONIOV)
This work for me :-)

Antonio Vigliotti
Antonio Maria Vigliotti
0 Kudos
Reply
Antoniov.
Honored Contributor

тАО10-16-2004 04:20 AM

тАО10-16-2004 04:20 AM

Re: HOWTO track failed logins in VMS

Steve,
I've forgot my previous command have hyphen symbol (-): I use this only for slitting command for two lines; you have not to type it.

Antonio Vigliotti
Antonio Maria Vigliotti
0 Kudos
Reply
Antoniov.
Honored Contributor

тАО10-16-2004 04:23 AM

тАО10-16-2004 04:23 AM

Re: HOWTO track failed logins in VMS

Steve,
as Bob posted, you have to enable auditing.
See follow:
$ SHOW AUDIT

System security audits currently enabled for:
[...]
Logfailure: batch,dialup,local,remote,network,subprocess,detached

Antonio Vigliotti
Antonio Maria Vigliotti
0 Kudos
Reply
Bob Blunt
Respected Contributor

тАО10-16-2004 12:28 PM

тАО10-16-2004 12:28 PM

Re: HOWTO track failed logins in VMS

In addition, if you have a noisy line or someone started to login (simply pressed a carriage return) and let the attempt timeout, that's all you'll get, "." Depending on the configuration of your security auditing, you'll only get an "attempted" username if something is entered at the prompt.

Usually, getting "" means that a username wasn't entered. Even if you get line noise, you'll have a garbage-looking username in the audit log. Again, depending on how your system is configured and setup, you may get either a terminal port that's consistant or an IP address (depending on configuration, IP stack, VMS version, phase of the moon, your Zodiac sign, etc).

If you can lay hands on VMS' Security-related manuals, they would be your best resource. There's also information that may help on the OpenVMS "Ask the Wizard" pages. I think there are hot links to those on the main OpenVMS pages here...

bob
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.