[Info-vax] SSH on VAX - performance impact of break in attempts

[Mark Berryman]

On 8/25/10 8:42 AM, VAXman- @SendSpamHere.ORG wrote:
> In article<BpKdnaQjJc72k-jRnZ2dnUVZ_uKdnZ2d at earthlink.com>, Altivo Overo<tivo at altivo.org>  writes:
>> On Wed, 25 Aug 2010 12:00:31 +0000, VAXman- wrote:
>>
>>> Beacause only a fool would create a 'root' account or an 'administrator'
>>> account on VMS *AND* give it privies.  If such a fool should exit, he or
>>> she deserves the wrath of whatever these password crackers can do!  The
>>> 12 character username prohibits the 'administrator' account.
>>
>> Some of them will try "operator" and "system" too. I stopped this
>> nonsense by blocking it at the firewall before it gets to the OpenVMS
>> system. SSH to that machine is possible only from specific originating
>> address ranges. That solution works well here, but of course isn't
>> practical for everyone. Non-dictionary passwords such as those created by
>> the password generator facility are good protection against this sort of
>> break-in, but won't keep them from trying.
>
> When one is on the road, there's no way of knowing the IP address in a
> great many cases.  I've wanted to setup a block on the Cisco whereby a
> "knock on the door" of a certain web page I'd setup would send an SNMP
> command to the Cisco to add the IP to an ACL.  Sadly, after speaking to
> a number of Cisco engineers, there's no way to do with with SNMP.
>

This is trivial to do with SNMP.  Have a script that generates the ACL 
with the ability to add the new entry in question when it regenerates 
the ACL.  The ACL is simply placed in a file.  Then, issue an SNMP 
command to the router which tells it to fetch the file to reload the 
ACL.  Any number of protocols are available for fetching the file. I 
have done this many times.

Feel free to contact me if you'd like more details.

Mark Berryman

--- news://freenews.netfront.net/ - complaints: news at netfront.net ---