[Info-vax] SSH on VAX - performance impact of break in attempts

Kari Uusimäki uusimaki at exdecWITHOUTTHISfinland.org
Thu Aug 26 14:36:06 EDT 2010 

On 25.8.2010 17:42, VAXman- @SendSpamHere.ORG wrote:
> In article<BpKdnaQjJc72k-jRnZ2dnUVZ_uKdnZ2d at earthlink.com>, Altivo Overo<tivo at altivo.org>  writes:
>> On Wed, 25 Aug 2010 12:00:31 +0000, VAXman- wrote:
>>
>>> Beacause only a fool would create a 'root' account or an 'administrator'
>>> account on VMS *AND* give it privies.  If such a fool should exit, he or
>>> she deserves the wrath of whatever these password crackers can do!  The
>>> 12 character username prohibits the 'administrator' account.
>>
>> Some of them will try "operator" and "system" too. I stopped this
>> nonsense by blocking it at the firewall before it gets to the OpenVMS
>> system. SSH to that machine is possible only from specific originating
>> address ranges. That solution works well here, but of course isn't
>> practical for everyone. Non-dictionary passwords such as those created by
>> the password generator facility are good protection against this sort of
>> break-in, but won't keep them from trying.
>
> When one is on the road, there's no way of knowing the IP address in a
> great many cases.  I've wanted to setup a block on the Cisco whereby a
> "knock on the door" of a certain web page I'd setup would send an SNMP
> command to the Cisco to add the IP to an ACL.  Sadly, after speaking to
> a number of Cisco engineers, there's no way to do with with SNMP.
>
> I am not too worried.  I use TCPIP Services and move the ssh port high
> into the ephemeral port region.  Also, I put a limit the number of ssh
> sessions/connections with the SET SERVICE /LIMIT command.  Even is one
> were to attack, the attack would be short-lived. ;)


I've used exactly the same recipe (port number change and session limit).
That's effective enough.

The default session limit of 10000 sessions is weird. You need hell of a 
machine to cope with so many simultaneous sessions. Even half of that 
needs a powerful machine.
Why not set a default limit of e.g. 256 which the system manager could 
raise if needed.

More information about the Info-vax mailing list