[Info-vax] SSH on VAX - performance impact of break in attempts
Steven Schweda
sms.antinode at gmail.com
Wed Aug 25 17:29:50 EDT 2010
glen herrmannsfeldt wrote:
> This is for terminal logins. It might be that sshd or telnetd
> truncate, even when terminal logins don't.
All the "Administrato" attacks I can remember involved FTP.
The FTP server log shows "Administrator":
%TCPIP-E-FTP_LOGFAL, remote interactive login failure Administrator
-TCPIP-I-FTP_NODE, client host name: 211.197.171.175
-LOGIN-F-NOSUCHUSER, no such user
but the Audit Analysis utility (ANAL /AUDI) shows
"Administrato":
Security alarm (SECURITY) and security audit (SECURITY) on ALP, system
id: 1119
Auditable event: Network login failure
Event time: 2-JUN-2010 15:44:14.71
PID: 20216E82
Process name: TCPIP$FTPC00105
Username: Administrato
Remote node id: 3552947119 (42.943)
Remote node fullname: 211.197.171.175
I don't know whose fault lies where.
> > (speaking of which, has anyone ever set up a captive ADMINISTRATO or
> > ROOT account with an easily-guessable password that simply logs what
> > the remote hacker tries to do (or even generate dummy output) just for
> > giggles?)
I haven't, but it's tempting for "Administrato". Those FTP
attacks can run on for many attempts, creating annoying bulk
in the logs. A LOGIN.COM which hangs could be better than a
failure. I actually have a (dangerous) ROOT account (like
SYSTEM), because it saves keystrokes when I do FTP from a
UNIX(-like) system to a VMS system. I depend on the usual
break-in evasion stuff (and a decent password).
More information about the Info-vax
mailing list