[Info-vax] intrusion detection
JF Mezei
jfmezei.spamnot at vaxination.ca
Fri Mar 13 12:34:43 EDT 2009
Richard B. Gilbert wrote:
> If the machine using 79.121.128.74 belongs to your organization, you
> would be fully justified in complaining to the owner and/or
> administrator of that machine. If the address does not belong to your
> organization, simply block it at the firewall!
On gets such attempts regularly. At least the POP server the OP is using
is registering the attempts.
The difficulty in automating this is:
1- Capturing the login attempt alarms.
2- Deciding at what rate of attempts to take action
3- what action to take.
This should really have been implemented at the LI parameter level and
all internet applications forced to use those services. Unfortunatly,
because VAX was not given the same security services as Alpha (In
particular ACME services), it becomes hard to provide unified security
in a cluster.
One can write a kludge that will hopefully capture these, but such
kludges are not as good as something embedded into the OS.
Furthermore, the whose intrusion system should have been designed to be
configurable to call a user written code/procedure for each intrusion
attempt, and that would have allowed site specific procedures to handle
such intrusions. (for insance, dictionary attacks from china, you just
block the ip for 2 days, but for 3 illegal login attempts from an
in-house IP, you block it for an LGI specific time).
More information about the Info-vax
mailing list