[Info-vax] intrusion detection

[Rich Jordan]

On Mar 13, 8:05 am, joukj <jo... at hrem.nano.tudelft.nl> wrote:
> Bill Gunshannon wrote:
> > In article <49ba3625$0$6682$703f8... at textnews.kpn.nl>,
> >    joukj <jo... at hrem.nano.tudelft.nl> writes:
> >> Hi All,
>
> >> Today I get the following at the command SHOW INTRUSION:
>
> >> Intrusion       Type       Count        Expiration         Source
> >> ---------       ----       -----        ----------         ------
> >>     NETWORK      SUSPECT      22   13-MAR-2009 11:39:19.85
> >> IUPOP3::79.121.128.74:eileen
> >>     NETWORK      SUSPECT      22   13-MAR-2009 11:39:19.86
> >> IUPOP3::79.121.128.74:elaine
> >>     NETWORK      SUSPECT      22   13-MAR-2009 11:39:19.87
> >> IUPOP3::79.121.128.74:elisabeth
> >>     NETWORK      SUSPECT      22   13-MAR-2009 11:39:19.88
> >> IUPOP3::79.121.128.74:elizabeth
> >>     NETWORK      SUSPECT      22   13-MAR-2009 11:39:19.89
> >> IUPOP3::79.121.128.74:ellen
> >>     NETWORK      SUSPECT      22   13-MAR-2009 11:39:19.90
> >> IUPOP3::79.121.128.74:email
> >>     NETWORK      SUSPECT      22   13-MAR-2009 11:39:19.90
> >> IUPOP3::79.121.128.74:emails
> >>     NETWORK      SUSPECT      22   13-MAR-2009 11:39:19.91
> >> IUPOP3::79.121.128.74:emanuel
> >>     NETWORK      SUSPECT      22   13-MAR-2009 11:47:21.80
> >> IUPOP3::79.121.128.74:emerson
> >>     NETWORK      SUSPECT      22   13-MAR-2009 11:47:21.81
> >> IUPOP3::79.121.128.74:emily
> >>     NETWORK      SUSPECT      22   13-MAR-2009 11:47:21.81
> >> IUPOP3::79.121.128.74:emma
> >>     NETWORK      SUSPECT      22   13-MAR-2009 11:48:02.01
> >> IUPOP3::79.121.128.74:emmanuel
> >>     NETWORK      INTRUDER     22   13-MAR-2009 11:24:41.45
> >> IUPOP3::79.121.128.74:encrypt
> >>     NETWORK      INTRUDER     22   13-MAR-2009 11:28:15.26
> >> IUPOP3::79.121.128.74:eric
> >>     NETWORK      SUSPECT      88   13-MAR-2009 11:39:20.16
> >> IUPOP3::79.121.128.74:gilbert
> >> etc.....
>
> >> The attack seems to come from one Ip-adress using different usernames to
> >>   get access to the pop-server. Should the detection system not block
> >> the whole access from this host and not per user? As it is configured
> >> now they can keep trying to get in (and waist bandwith because the will
> >> not succeed)
>
> > One entry in your firewall stops that.  You do have a firewall, right?
>
> > bill
>
> I know. Also the abuse was already reported to "computer-authorities" in
> my university in order to "stop" the abuse.
> My question was more "principle" for the next time, since at present I
> can block the "offending" Ip-address. But if the attack comes from a
> complete different network in future it will not be blocked (the pop3
> service i.e. should be open for our legal clients from outside the
> university). I was just wondering why all these offences were logged as
> "single" offences and not "bundled" as one so that a retry with another
> user-name does not help. I noticed that the SSHD form HP/TCPIP does
> probably this.
>
>                     Jouk

Unless something has changed in very recent versions, I'm pretty sure
one of the shortcomings of the HP POP server that comes with TCPIP
Services is that it does NOT tie in to the normal VMS security
mechanisms completely, so you can never trip actual intruder evasion.
I'm certain there have been a number of unhappy posts over these
shortcomings.