[Info-vax] OpenVMS TCPIP equivalent of hosts.deny?

Thu Nov 17 08:08:13 EST 2016

> -----Original Message-----
> From: Info-vax [mailto:info-vax-bounces at rbnsn.com] On Behalf
> Of Michael Moroney via Info-vax
> Sent: 16-Nov-16 10:36 PM
> To: info-vax at rbnsn.com
> Cc: Michael Moroney <moroney at world.std.spaamtrap.com>
> Subject: Re: [Info-vax] OpenVMS TCPIP equivalent of
> hosts.deny?
> 
> Supratim Sanyal <supratim at riseup.invalid> writes:
> 
> >Hi,
> 
> >I am wondering if it is possible to maintain a "deny" file to
use
> with
> >the analyze/audit report generated from a batch job daily
> >(http://sanyalnet-openvms-
> vax.freeddns.org:82/falserver/intrusions.txt)
> >to keep these telnet spammers in control. Is there a
> "hosts.deny"
> >equivalent that I can use to save a sorted unique list in for
TCPIP
> to
> >drop connections from?
> 
> The HP TCP/IP has a real limited "deny" capability, something
like
> 16 entries only.
> 
> I wrote code years ago that monitors the audit server mailbox
for
> breakin events from the internet and null-routes the source
> address (actually the
> /24 of the source).  Since I couldn't use the deny capability
for
> more than 16 attempts, I got around that by doing a TCPIP SET
> ROUTE to use a nonexistent address as a gateway.  So any
further
> attempt to contact from the banned host would have the VMS
> system attempt to respond by sending to the nonexistent
> gateway, so the banned host could never set up the TCP
> connection.  To it it appears as if the system vanished off the
net.
> 
> 

Another nice benefit of the new VSI OpenVMS TCPIP stack that is
to be based on Multinet: (accept/reject commands)
http://www.process.com/docs/multinet5_5/install_admin/chapter_9.h
tm

Also, Multinet has a feature which is not new to the Industry
(usually found in security appliances), but a nice native
addition to OpenVMS called Intrusion Prevention System (IPS).

Reference: (V5.3 doc, V5.5 is current)
http://www.process.com/psc/fileadmin/user_upload/documents/multin
et/multinet_datasheet.pdf

"MultiNet's IPS monitors network and/or system activities for
malicious or unwanted behavior and can react, in real-time, to
block or prevent those activities. MultiNet SSH, FTP, SNMP,
Telnet, IMAP, and POP3 have been instrumented with IPS to monitor
traffic for malicious attacks. It is highly flexible and
customizable. When an attack is detected, pre-configured rules
will block an intruder's IP address from accessing their system,
prevent an intruder from accessing a specific application, or
both. The time period that the filter is in place is
configurable. An API is provided so that MultiNet customers can
incorporate the IPS functionality into their applications."

Multinet IPS whitepaper based on actual Cust site usage:
http://h41379.www4.hpe.com/openvms/journal/v13/multinet_intrusion
.pdf

Regards,

Kerry Main
Kerry dot main at starkgaming dot com