| Title: | VAX and Alpha VMS |
| Notice: | This is a new VMSnotes, please read note 2.1 |
| Moderator: | VAXAXP::BERNARDO |
| Created: | Wed Jan 22 1997 |
| Last Modified: | Fri Jun 06 1997 |
| Last Successful Update: | Fri Jun 06 1997 |
| Number of topics: | 703 |
| Total number of notes: | 3722 |
LOGINOUT or not LOGINOUT?
<<< LASSIE::UCXAXP$DKA0:[NOTES$LIBRARY]UCX.NOTE;1 >>>
-< DEC TCP/IP Services for OpenVMS >-
================================================================================
Note 5369.0 Wrong information registered in intrusion database 2 replies
KETJE::STAES "Topless = No brains at all" 31 lines 21-MAR-1997 08:12:26.81
--------------------------------------------------------------------------------
It seems that TELNET updates the intrusion database with the name of the
TARGET USER instead of the name of the SOURCE USER.
I did following tests using a $ SET HOST/TELNET command.
(1) In the first example I entered an unexisting USERNAME/PASSWORD
combination. This was registered with source = IP address of the node
from which the attempt was made.
Intrusion Type Count Expiration Source
TERMINAL SUSPECT 1 21-MAR-1997 14:05:51.59 16.183.0.209:
(2) In the second example I used a valid username but invalid password
for an existing account on the remote node. This was registered using
the username of the target user as source.
Intrusion Type Count Expiration Source
USERNAME SUSPECT 1 21-MAR-1997 14:02:16.02 STEUKERS
I believe that the name of the TELNET user is not sent over to the target
host. Although unhappy with this I have to accept it. What I cannot
accept is that the intrusion database gets updated with the name of the
target user.
The above test were done using UCX 4.1 and VMS 6.2, both on target and
remote node. The SYSGEN LGI_BRK_TERM parameter was set to 0 on target
node.
Can this be fixed?
Nand.
================================================================================
Note 5369.1 Wrong information registered in intrusion database 1 of 2
LASSIE::GEMIGNANI 3 lines 21-MAR-1997 15:13:22.10
--------------------------------------------------------------------------------
It would seem that LOGINOUT is the component responsible for logging
the intrusion attempt. What can TELNET do to provide more information
to LOGINOUT about the connection?
================================================================================
Note 5369.2 Wrong information registered in intrusion database 2 of 2
KETJE::STAES "Topless = No brains at all" 8 lines 24-MAR-1997 03:13:35.61
-< Who is updating the intrusion db? >-
--------------------------------------------------------------------------------
Not having access to the source code, I presumed that TELNET was updating the
intrusion databases itself via the $SCAN_INTRUSION and $DELETE_INTRUSION
services.
Reading .1 I now tend to believe TELNET informs LOGINOUT, but in a wrong way.
I would expect to see something like {Unknown} or {NONAME} being recorded as
remote user information. Not the name of a - probably innocent - local user.
| T.R | Title | User | Personal Name | Date | Lines |
|---|---|---|---|---|---|
| 418.1 | Auditing Info Source Is UCX | XDELTA::HOFFMAN | Steve, OpenVMS Engineering | Fri Apr 04 1997 09:04 | 15 |
:LOGINOUT or not LOGINOUT? UCX generates the information you are questioning -- OpenVMS is passed this information during the UCX processing via an undocumented (kernel-mode, if memory serves) interface, and dutifully logs it. You will want to log a QAR against UCX, and the UCX and OpenVMS folks responsible for the security auditing will work this out. IP does not (reliably) transmit the name of the initiating remote user, that's one of the things that makes an IP firewall so much fun to implement and monitor... | |||||
| 418.2 | AUSS::GARSON | DECcharity Program Office | Sun Apr 06 1997 22:48 | 17 | |
re .0
>I would expect to see something like {Unknown} or {NONAME} being recorded as
>remote user information. Not the name of a - probably innocent - local user.
Regardless of what the source is (and, yes, with IP you don't know the
source username), remember that the system is attempting to identify a
breakin attempt. It is quite reasonable to record against the local
user. It is for the protection of that user.
There does seem to be some confusion about whether the intrusion is
recorded against the destination user or the (perceived) source or the
combination of both. This seems particularly so with network sources
(which may not be affected by LGI_BRK_TERM) and even more so with IP as
the network transport. [As has been discussed before, it makes no sense
to include the full source of an IP login failure because the Port
keeps on changing and defeats the compound intrusion analysis.]
| |||||
| 418.3 | BSS::BOREN | Tue Apr 08 1997 08:40 | 30 | ||
This may help:
a previous exchange on this issue and feedback/update from information
derived from eco 4 for UCX...with OpenVMS V6.2 and later.
mar.1996.....
- The security/break-in for TELNET/RLOGIN attempts are
caused by a combination of issues at the UCX and VMS level. Since VMS
6.0, the structure of the intrusion database (in VMS) has changed and
only since VMS 6.2 (on both VAX and AXP), the remote username is
added automatically to the 'source' information in the intrusion record
for login failures. As a result, we have come up with a solution to this
problem *but* this will be effective only on systems running VMS 6.2
or higher.
With this fix (to be released in the first ECO of UCX 4.0), and if you
are running VMS 6.2 (or higher), TELNET/RLOGIN login failures are
reported as "source-node:remote-username". The source-node would be
either another host name or the port number depending on the source of
login attempt.
With older versions of VMS on AXP, you will not notice any change in
behavior from what you see now even with this fix included. On VAX 6.1,
you will just see the "source-node" information if the above fix is
included. Therefore, if you'd like a solution to this problem, the
best thing to do would be to upgrade to VMS 6.2 and obtain the UCX images
which include this fix.
| |||||