- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: SMTP service locked out
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-31-2006 04:35 AM
01-31-2006 04:35 AM
SMTP service locked out
The TCPIP$SMTP service account got locked out the other day due to invalid password attempts. Reviewing the audit logs indicated several consecutive attempts from our firewall to connect to the SMTP service. Checking the accounting logs indicated that the sessions were extraordinarily brief (very low CPU time and I/O, especially as compared to a "normal" rejected or successful mail transaction).
What could possibly cause a service account to receive a "bad password", when it's not even possible for the remote system to ask for or provide one?
My only speculation is that this may have been caused by a port scan of the system which was terminated prior to the completion of the process login. Why that would result in a INVPWD instead of an abnormal termination is beyond me at this time, however. Alternatively, could this be an attempt at a DoS attack? (The only reason it would even be close to successful is because we knowingly enforce LGI_BRK_DISUSER.)
Does anyone have any hard factual info or more informed speculation about this kind of a service failure?
TIA,
Aaron
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-31-2006 04:55 AM
01-31-2006 04:55 AM
Re: SMTP service locked out
to log in as TCPIP$SMTP are two different
things. Can you show one of the log entries?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-31-2006 05:21 AM
01-31-2006 05:21 AM
Re: SMTP service locked out
Auditing LOGFAIL entry:
Security alarm (SECURITY) and security audit (SECURITY) on WOODY, system id: 1025
Auditable event: Network login failure
Event time: 29-JAN-2006 23:52:05.60
PID: 206AD01E
Process name: TCPIP$SM_BG1135
Username: TCPIP$SMTP
Remote node id: wxyz (a.b)
Remote node fullname: w.x.y.z
Remote username: TCPIP$SMTP
Status: %LOGIN-F-INVPWD, invalid password
Accounting record:
NETWORK Process Termination
---------------------------
Username: TCPIP$SMTP UIC: [TCPIP$AUX,TCPIP$SMTP]
Account: TCPIP Finish time: 29-JAN-2006 23:52:05.53
Process ID: 206AEC06 Start time: 29-JAN-2006 23:52:04.37
Owner ID: Elapsed time: 0 00:00:01.16
Terminal name: Processor time: 0 00:00:00.10
Remote node addr: Priority: 8
Remote node name: Privilege <31-00>: 00108000
Remote ID: TCPIP$SMTP Privilege <63-32>: 00000000
Remote full name: w.x.y.z
Posix UID: -2 Posix GID: -2 (%XFFFFFFFE)
Queue entry: Final status code: 100020EC
Queue name:
Job name:
Final status text: %SYSTEM-F-LINKDISCON, network partner disconnected logical li
Page faults: 594 Direct IO: 167
Page fault reads: 96 Buffered IO: 135
Peak working set: 6160 Volumes mounted: 0
Peak page file: 179648 Images executed: 5
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-31-2006 08:52 AM
01-31-2006 08:52 AM
Re: SMTP service locked out
$ dir 0"tcpip$smtp password"::
Provide the output for
$ ucx show service smtp/full
$ mc authorize show TCPIP$SMTP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-31-2006 10:18 AM
01-31-2006 10:18 AM
Re: SMTP service locked out
As an alternative, the TCPIP$SMTP account does normally work for the SMTP service. This occurence is a once in 10 year event. Well, for the lockout -- there are 92 bad password attempts against that account since it was created many moons ago. I've only been responsible for the auditing of these accounts for the past couple weeks, the prior person having just dismissed these events, as near as I can tell. But it appears that this is the reason for all the bad password attempts, and not a misconfigured service as near as I can tell. The fact that I've got 970 spam messages in my wastebasket attests to the fact that the service is *mostly* working as it should...
Aaron
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-31-2006 01:49 PM
01-31-2006 01:49 PM
Re: SMTP service locked out
Extract
!!!Reject-Mail-From: *.xyz.com, known.spammer@*, *the_internet*
!
!!!Accept-Mail-From: *@notabadguy.xyz.com, the_internet_news@somehwere.com
!
!!!SPAM-Action: OPCOM, ACCOUNTING
!
!!!Security: FRIENDLY
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-02-2006 03:16 AM
02-02-2006 03:16 AM
Re: SMTP service locked out
Aaron
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-02-2006 04:16 AM
02-02-2006 04:16 AM
Re: SMTP service locked out
> Peak page file: 179648 Images executed: 5
I'm not familiar with the TCPIP$SMTP service... but, I do find it interesting that your process exits with an INVPWD status and that there were 5 images activated. I'd have expected only 3 image activations for a network process. Is it possible that the status is not the result of a failed login but some bogus value left in R0 when the 4th image exited? Does SYS$SYLOGIN execute any images?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-02-2006 04:29 AM
02-02-2006 04:29 AM
Re: SMTP service locked out
Since you got did get an alarm for the login failure speculation of a bad R0 value is not realistic. But what are the other 2 images? Is that normal for this SMTP service? Could one of those image activations have resulted in a second network login? With a logfail for the initial process I'd not have expected multiple imgacts.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-02-2006 05:01 AM
02-02-2006 05:01 AM