by Werner Pachle » Wed, 12 May 1999 04:00:00
We all know that an account is locked for a while if somebody attempts to
login without success.
With every unsuccessfully attempt the lockout duration will become longer.
(On a secure system).
OK, now to the question:
If somebody has locked the SYSTEM account in that way, what can be done,
excluding reboot or waiting, to log in as SYSTEM?
Thanks to all,
Werner
by Jimmi Aakj » Wed, 12 May 1999 04:00:00
>We all know that an account is locked for a while if somebody attempts to
>login without success.
>With every unsuccessfully attempt the lockout duration will become longer.
>(On a secure system).
>OK, now to the question:
>If somebody has locked the SYSTEM account in that way, what can be done,
>excluding reboot or waiting, to log in as SYSTEM?
>Thanks to all,
>Werner
First you can look at the intrusion records
$show intrusion
If any intrusion records exists - you can delete them with
$delete /intrusion_record NODEXX::USERNAMEYY
The system account can also have been disabled with a disuser flag -
this can be removed in AUTHORIZE
$MC authorize
UAF>mod USERYY /flag=nodisuser
all this requires some level of privileges
Jimmi
by Jeff Schreib » Wed, 12 May 1999 04:00:00
The intrusion locking should be seperated by source, so if you come on fromQuote:> OK, now to the question:
> If somebody has locked the SYSTEM account in that way, what can be done,
> excluding reboot or waiting, to log in as SYSTEM?
It also might be helpful to give enough privs to your own account so that
you can clear the intrusion records from either account.
-Jeff
--
Jeff Schreiber, Process Software Corp.
TCPware & MultiNet: Stronger than Ever
by Richard B. Gilber » Wed, 12 May 1999 04:00:00
login without success.Quote:>We all know that an account is locked for a while if somebody attempts to
OK, now to the question:
If somebody has locked the SYSTEM account in that way, what can be done,
excluding reboot or waiting, to log in as SYSTEM?
<
On most systems this is not a problem. Most system managers do not
use the SYSTEM account regularly. The system account is needed only for
such things as installing software, or restarting a process that is
supposed to run under the system account.
If this is actually happening to your system, another privileged
account can be used to delete the intrusion records. Again, if it is
actually happening to your system, you also need to use ANALYZE /AUDIT, and
ACCOUNTING to try to determine the source of the attack. If the source is
internal, your organization should take disciplinary action against the
perpetrator. If the source is external, you need to fix your firewall.
You may have to enable a "system password" on modem lines, disable dormant
accounts, disable unneeded TCP/IP services, especially things like rsh and
rexec. Check your DECnet proxies; are they all still necessary.
In short, secure your system!
1. Successful and not successful completion
It seems to me that message 0, successfull completion, and message
4, abort, are flip sides of the same thing, completion. Were it
not better, if message 0 were completion, and success or failure
were shown by $SEVERITY? I so believ.
2. What the hell does '\end occured inside a group' mean?
3. ADSL and Windows 2000 anyone ??
4. Not long ago, I got an account (login) on a computer that doesn't
5. Blocking an Unlisted Number
7. Where info on new releases?
9. login failure when sysuaf is locked
10. Limiting Logins Per Account
11. last login date and time for OVMS accounts
12. login failure when sysuaf is locked