Make sure you have LOGFAILURE and BREAKIN ALARMS and AUDITS enabled for all potential sources. Check parameters and make sure you understand how breakin detection and evasion works. See:
$ MCR SYSGEN SHOW/LGI
In particular, make sure your LGI_BRK_LIM is set appropriately.
Rather than scanning the accounting file, try SHOW INTRUSIONS. You'll see something like this:
$ show intru
Intrusion Type Count Expiration Source
--------- ---- ----- ---------- ------
NETWORK SUSPECT 3 31-OCT-2007 08:32:12.86 cracker.central.com::TELNET_0A02FDFE
Suspects are probably just fat fingered users getting their passwords wrong, but INTRUDER maybe something to be concerned about.
For retrospective analysis, look in the security journal (ANALYZE/AUDIT).
There are a few potential ways to automate monitoring. If you're at a terminal, use REPLY/ENABLE=SECURITY. You'll see the audit alarms as they happen.
If you have a console manager, you may have a mechanism for scanning console output for BREAKIN audit messages. Failing that you could build yourself an audit listener to watch for them, or the "poor man's" approach would be a DCL procedure to poll SHOW INTRUSION and scan for intruder records.
>So far, I have not been broken into
Unless you have very lax password policies, and/or users who release their passwords, I'd go so far as to say it's all but impossible to crack an OpenVMS host using any form of dictionary attack (especially if they're using windows standard usernames!). If you're concerned, you can boost your protection by adjusting the LGI parameters to be more severe.
One fairly simple, and usually benign approach is to increase LGI_BRK_TMO and/or LGI_HID_TIM. The default is 5 minutes. Increase them to 1 or 2 DAYS. Any automated attack will be detected in a few seconds, but future attempts will fail from that source for the next few days. The cracker won't see anything other than "invalid password", but the system will refuse access even if they chance on a valid username/password pair. Every failure will just extend the blackout period.
>Is there a way to determine (through the
>accounting utility, SDA, or other means)
>what password they are guessing?
It's a while since I've looked, but I think once a source is declared an intruder, the BREAKIN audits log both the username and password. You need SECURITY privilege to see them in the audit journal.
If it were my system, I'd turn on maximum auditing and request professional assistance from my local law enforcement. This kind of activity is illegal in most jurisdictions. I'd be doing my best to track down and prosecute the perpetrators.
A crucible of informative mistakes
