Catching a bandit

Catching a bandit

Post by BINGH.. » Fri, 05 Feb 1999 04:00:00



One of the students at my university came to me and complained about
breakin attempts on her account. On our VMS 5.5 machine we indeed had
recorded several invalid password errors in the operator.log. She thinks
she knows who is doing it and could apparently identify them by the
password they are trying. Apparently the person she suspects must have
known one of her old passwords.

Is there a way to tell what invalid passwords a person is using to try to
break into an account? Is there a way, independent of having an operator
console running all the time, to immediate alert a particular user when a
breakin attempt occurs on another account?

Thanks,
Tim

ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
o  Tim Bingham                      SUNY Health Science Center        o
o  Operations and Network Services  750 E. Adams St.                  o
o  Info. Management & Technology    Syracuse, NY  13210               o
o  phone (315) 464-8294             fax   (315) 464-4081              o

o                                                                     o        
o  "OpenVMS is today what Microsoft wants Windows NT v8.0 to be"      o
o              - Compaq Computer Corp., Sept. 1998.                   o
o                                                                     o
ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

 
 
 

Catching a bandit

Post by JOHN MALMBER » Sat, 06 Feb 1999 04:00:00


I recommend that you read the guide to system security.  It will have all the
details that you need.
It is better that you look it up, than for me to reveal how much you can track
directly from OpenVMS, even that old of version.

If a cracker does manage to gain access to a privileged account, chances are
they do not know where all of the logs are, and so will miss at least one, so I
do not want to give them a check list.

If you have a Windoze NT WINS server on your network it will tell you the last
Windoze user and PC that used a particular I.P. address, if that is the source
of your problem.

-John

 
 
 

Catching a bandit

Post by Bob Koehl » Sat, 06 Feb 1999 04:00:00



>One of the students at my university came to me and complained about
>breakin attempts on her account. On our VMS 5.5 machine we indeed had
>recorded several invalid password errors in the operator.log. She thinks
>she knows who is doing it and could apparently identify them by the
>password they are trying. Apparently the person she suspects must have
>known one of her old passwords.

If you have a reasonable level of security auditing running all the data
you're looking for should be in the security audit log.  Not the
operator log, and not the accounting file.

If you don't have at least this much security auditing enabled then you
shouldn't have the power switch in the ON position.

----------------------------------------------------------------------
Bob Koehler                     | Computer Sciences Corporation
Hubble Space Telescope Payload  | Federal Sector, Civil Group
 Flight Software Team           | please remove ".aspm" when replying

 
 
 

Catching a bandit

Post by Hoff Hoffm » Wed, 10 Feb 1999 04:00:00


:
:One of the students at my university came to me and complained about
:breakin attempts on her account. On our VMS 5.5 machine we indeed had
:recorded several invalid password errors in the operator.log. She thinks
:she knows who is doing it and could apparently identify them by the
:password they are trying. Apparently the person she suspects must have
:known one of her old passwords.
:
:Is there a way to tell what invalid passwords a person is using to try to
:break into an account?

  V5.5 is a relative antique, V7.2 is current.  V6.0 and later in
  particular have more and better security auditing features...

  OpenVMS auditing has had -- for many years -- the ability to log
  the username and attempted password in the auditing database.

  Most OpenVMS systems should have file access failures, breakin,
  authorization, sysgen, ACL, and logfailure audits -- if not
  additional audits -- enabled.

  This inclusion of the password in the audits (not alarms!) was the
  source of a discussion in the newsgroups a while back, there were
  folks concerned that the contents of the auditing database could be
  used to compromise system security if the passwords were a "near miss".
  Conversely, the "near miss" can be useful in determining the type of
  attack underway.  The password is not logged ("alarmed") via OPCOM
  even when the appropriate security alarms are enabled, it is only
  logged into the (protected) audit database.

:Is there a way, independent of having an operator
:console running all the time, to immediate alert a particular user when a
:breakin attempt occurs on another account?

  If you choose to create and run have an audit listener process, yes...
  (See SET AUDIT/LISTENER...)

 -------------------------- pure personal opinion ---------------------------
 Hoff (Stephen) Hoffman   OpenVMS Engineering   hoffman#xdelta.zko.dec.com