HPE Community
Operating System - OpenVMS
1830730 Members
2339 Online
110015 Solutions
New Discussion

What's this mean with "<login>" a/c in break-in record?

 
SOLVED
Go to solution
Davor_7
Regular Advisor

‎10-27-2005 08:41 PM

‎10-27-2005 08:41 PM

What's this mean with "<login>" a/c in break-in record?

Hi expert,

i analyze the breakin record and find that many records' username are marked as ""
i have no idea about this information, who knows it?

thanks
0 Kudos
19 REPLIES 19
Vladimir Fabecic
Honored Contributor

‎10-27-2005 08:58 PM

‎10-27-2005 08:58 PM

Re: What's this mean with "<login>" a/c in break-in record?

For example:
You establish a connection and get "Username". You do not enter username, timeout period expires and connection is disconnected.
Usually this means that no username was entered when connection was estableshed.
You can also have this kind of record when someone scan your VMS system with some kind of port scaner.
In vino veritas, in VMS cluster
0 Kudos
Daniel Fernandez Illan
Trusted Contributor

‎10-27-2005 10:28 PM

‎10-27-2005 10:28 PM

Re: What's this mean with "<login>" a/c in break-in record?

Davor
Some years ago, I had a similar problem, a lot of breaking marked as login. The problem was induced by a serial device - TX type - who sended request to a VAX box and produced a failure on multiplexor box.
You can check intrusion (SHO INTRUSION) command and discover if break records are produced by a particular device.
Saludos.
Daniel.
0 Kudos
Davor_7
Regular Advisor

‎10-27-2005 11:36 PM

‎10-27-2005 11:36 PM

Re: What's this mean with "<login>" a/c in break-in record?

thanks,
but... after my test.
if you try to manually break in the system, you can still get the "" report even if you enter a username each time.
further more, i found that not all the login failure record can be analysed from event log...
anybody know this problem? (maybe called bug?)
0 Kudos
Ian Miller.
Honored Contributor

‎10-28-2005 01:19 AM

‎10-28-2005 01:19 AM

Re: What's this mean with "<login>" a/c in break-in record?

Are you looking at the audit log or accounting or something else?
____________________
Purely Personal Opinion
0 Kudos
Mike Reznak
Trusted Contributor

‎10-28-2005 02:17 AM

‎10-28-2005 02:17 AM

Re: What's this mean with "<login>" a/c in break-in record?

Davor,

do you mean this record from audit file?

Auditable event: Local interactive login failure
Event time: 27-OCT-2005 19:07:43.67
PID: 2D17558A
Process name: _VTA1661:
Username:
Process owner: [SYSTEM]
Terminal name: _VTA1661, Host: 10.155.155.155 Port: 2039
Image name: $1$DGA2500:[SYS0.SYSCOMMON.][SYSEXE]LOGINOUT.EXE
Posix UID: -2
Posix GID: -2 (%XFFFFFFFE)
Status: %LOGIN-F-CMDINPUT, error reading command input

If it is so, then you can achieve it this way
(Don't write any username)

MYHOST> set host 0


Unauthorised Access is PROHIBITED

Username:
Error reading command input
Timeout period expired
%REM-S-END, control returned to node MYHOST::

Mike
...and I think to myself, what a wonderful world ;o)
0 Kudos
Mike Reznak
Trusted Contributor

‎10-28-2005 02:23 AM

‎10-28-2005 02:23 AM

Re: What's this mean with "<login>" a/c in break-in record?

Just to add something.
You can still see the source host or device, from which the login was attempted.
Usually its caused just by no action by user.
Sometimes it's caused by unsteady network traffic (corrupted frames) or faulty or wrongly configured terminal device.
Or it can by some type of network scanning.

Mike
...and I think to myself, what a wonderful world ;o)
0 Kudos
comarow
Trusted Contributor

‎10-28-2005 02:52 AM

‎10-28-2005 02:52 AM

Re: What's this mean with "<login>" a/c in break-in record?

Can you show your error?
0 Kudos
Davor_7
Regular Advisor

‎10-28-2005 03:33 AM

‎10-28-2005 03:33 AM

Re: What's this mean with "<login>" a/c in break-in record?

Mike et all,

that's the audit log, you are right

but i have not tested what you suggest :)
0 Kudos
Willem Grooters
Honored Contributor

‎10-30-2005 08:39 PM

‎10-30-2005 08:39 PM

Re: What's this mean with "<login>" a/c in break-in record?

tells there has been an incomplete login attempt. most ofetn exprired input, that is: something VMS would see as such. In principle, a bad line to a terminal port could cause this: each signal on that line would be seen as unsollicited input and trigger the login sequence. that obviously times out and writes the event.
If it from the same terminal line, that line is suspect to be bad in this respect.
You can also check the accounting file for login failures; also check opator.log on the event - the system may have been set up to use accounting and operator for siganllin login events.

Willem
Willem Grooters
OpenVMS Developer & System Manager
0 Kudos
Davor_7
Regular Advisor

‎10-30-2005 08:45 PM

‎10-30-2005 08:45 PM

Re: What's this mean with "<login>" a/c in break-in record?

thanks Willem

but as a matter of fact.from my test, i input wrong username/password for 9 times continuously. and get the analysis report from event log. it shows 8:1 (8 times have the right username, but 1 time is sdisplayed ""), furthermore, the password sometimes is not the same as i input. how to explain such result?
0 Kudos
Wim Van den Wyngaert
Honored Contributor

‎10-30-2005 10:02 PM

‎10-30-2005 10:02 PM

Solution

Re: What's this mean with "<login>" a/c in break-in record?

Tested it on 7.3.

1. Accounting.

Timeout on username :
Timeout on password :
Invalid username :
Correct username + incorrect password : the correct username

I got only 1 accounting record for each set host command (even if 3 times a username was entered). Only the last action is written (e.g. timeout after invalid username is timeout).

SSH based login may react differently.

2. Audit.

The username and password as entered was shown in the breakin records. What I think is bad. No password should be revealed to the system manager (if you see "secrey" you may guess that the password is "secret").
In the login failure records, was shown when the username was invalid. No password was ever shown.

Wim
Wim
0 Kudos
Davor_7
Regular Advisor

‎10-30-2005 10:11 PM

‎10-30-2005 10:11 PM

Re: What's this mean with "<login>" a/c in break-in record?

Wim,

the last sentence " was shown when the username was invalid."

but my result is if the username was invalid, it still showed in the audit log, with the error:"%status ... no such user"

in summary, i think there are many uncertain factors in VMS. hope my found is wrong...
0 Kudos
Wim Van den Wyngaert
Honored Contributor

‎10-30-2005 10:22 PM

‎10-30-2005 10:22 PM

Re: What's this mean with "<login>" a/c in break-in record?

Davor,

Was your record marked "login failure" on the first line of the audit report ?
If it is "breakin" your findings are as expected (always shows the info).

Wim
Wim
0 Kudos
Davor_7
Regular Advisor

‎10-30-2005 11:08 PM

‎10-30-2005 11:08 PM

Re: What's this mean with "<login>" a/c in break-in record?

it shows:
Remote interactive login failure
or
Remote interactive breakin detection
0 Kudos
Ian Miller.
Honored Contributor

‎10-31-2005 02:21 AM

‎10-31-2005 02:21 AM

Re: What's this mean with "<login>" a/c in break-in record?

the argument for including the incorrect password in the audit record is that this may help you with determining what the person attempting to login is doing. e.g If you see a pattern in the passwords used it may indicate a systematic attempt to login.
____________________
Purely Personal Opinion
0 Kudos
Davor_7
Regular Advisor

‎10-31-2005 11:53 AM

‎10-31-2005 11:53 AM

Re: What's this mean with "<login>" a/c in break-in record?

Millar,
you mean that it should be reasonable due to system designation?
0 Kudos
Jan van den Ende
Honored Contributor

‎11-04-2005 07:18 AM

‎11-04-2005 07:18 AM

Re: What's this mean with "<login>" a/c in break-in record?

Davor,

from your Forum Profile:


I have assigned points to 85 of 108 responses to my questions.

It looks like you mostly have some older streams unassigned.

Maybe you can find some time to do some assigning?

http://forums1.itrc.hp.com/service/forums/helptips.do?#33

Mind, I do NOT say you necessarily need to give lots of points. It is fully up to _YOU_ to decide how many. If you consider an answer is not deserving any points, you can also assign 0 ( = zero ) points, and then that answer will no longer be counted as unassigned.
Consider, that every poster took at least the trouble of posting for you!

To easily find your streams with unassigned points, click your own name somewhere.
This will bring up your profile.
Near the bottom of that page, under the caption â My Question(s)â you will find â questions or topics with unassigned points â Clicking that will give all, and only, your questions that still have unassigned postings.

Thanks on behalf of your Forum colleagues.

PS. â nothing personal in this. I try to post it to everyone with this kind of assignment ratio in this forum. If you have received a posting like this before â please do not take offence â none is intended!

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
0 Kudos
Ian Miller.
Honored Contributor

‎11-05-2005 09:01 AM

‎11-05-2005 09:01 AM

Re: What's this mean with "<login>" a/c in break-in record?

Davor,
you said "you mean that it should be reasonable due to system designation?"

Can you rephrase this question because I don't understand what you are asking.
____________________
Purely Personal Opinion
0 Kudos
Davor_7
Regular Advisor

‎11-08-2005 01:52 PM

‎11-08-2005 01:52 PM

Re: What's this mean with "<login>" a/c in break-in record?

close it
thanks!
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.