[Info-vax] intrusion detection
Michael Moroney
moroney at world.std.spaamtrap.com
Fri Mar 13 13:40:56 EDT 2009
JF Mezei <jfmezei.spamnot at vaxination.ca> writes:
>The difficulty in automating this is:
>1- Capturing the login attempt alarms.
$ SET AUDIT/LISTENER=MBAxxx:. However, how to use such messages isn't
well documented. There was something in SYS$EXAMPLES on VAX on older
versions of VMS, but not for Alpha/Itanium.
>2- Deciding at what rate of attempts to take action
My program takes action once attempts become considerd BREAKINs by VMS.
That can be configured by the proper LGI$ parameter.
>3- what action to take.
I null-route the address the breakin comes from, with certain exceptions
(the local net). It SPAWNs a process so other things can be done as well.
>Furthermore, the whose intrusion system should have been designed to be
>configurable to call a user written code/procedure for each intrusion
>attempt, and that would have allowed site specific procedures to handle
>such intrusions. (for insance, dictionary attacks from china, you just
>block the ip for 2 days, but for 3 illegal login attempts from an
>in-house IP, you block it for an LGI specific time).
Been there, done that.
More information about the Info-vax
mailing list