<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
And there is a genius from Trinidad trying very hard to get into my
system with username "SHSTEM" all the time :)<br>
<br>
<div class="moz-cite-prefix">On 10/26/2016 12:24 AM, Kari Uusimäki
wrote:<br>
</div>
<blockquote
cite="mid:9e914c96-8fa0-59b6-9029-5a1ae71f38d3@exdecfinland.org"
type="cite">
<br>
You can limit different types of logins in different ways.
<br>
E.g. by defining when you can login in the UAF.
<br>
<br>
Anyhow, I wouldn't be too concerned about those scripties. The
DECUS server in Finland has been online since early 90's and noone
has ever succeeded to break in.
<br>
Telnet was enabled until about a year ago and the SYSTEM account
has been enabled normally.
<br>
<br>
Two settings are recommended to make the life bitter for the
scripties. First extend the breakin system parameters to make the
waiting time really long and second limit the maximum sessions of
telnet or ssh. Then the scripties will try for a while, but soon
they'll be bored and find an easier target. And your system will
not be much affected.
<br>
<br>
<br>
<br>
Kari
<br>
<br>
<br>
On 26.10.2016 3:01, Sampsa Laine wrote:
<br>
<blockquote type="cite">
<blockquote type="cite">On 25 Oct 2016, at 22:23, Johnny
Billquist <a class="moz-txt-link-rfc2396E" href="mailto:bqt@softjar.se"><bqt@softjar.se></a> wrote:
<br>
<br>
On 2016-10-25 19:51, G. wrote:
<br>
<blockquote type="cite">On Tue, 25 Oct 2016 17:48:45 +0300,
Sampsa Laine wrote:
<br>
<br>
<blockquote type="cite">Also, is renaming the SYSTEM account
likely to break stuff? They seem to be
<br>
targeting that specific username so I figured I’d change
it to STALIN or
<br>
something…
<br>
</blockquote>
Instead of renaming it, you may want to disable interactive
logins for the
<br>
SYSTEM account altogether, or you may want to investigate
about tightening
<br>
timeouts for the intrusion detection function (see SHOW
INTRU command), so
<br>
that VMS will not allow logins from accounts for which a
certain threshold
<br>
has been reached, even if the attacker guesses the password.
:)
<br>
</blockquote>
Totally agree on disabling interactive logins. But I would
perhaps limit that to just network logins. (I believe VMS can
also make that distinction.)
<br>
<br>
However, if the intrusion system disables the account, it
becomes a rather ugly DOS vector. Not sure how they were
thinking there…
<br>
<br>
</blockquote>
Here’s the weird thing about VMS (well I guess it’s the TCP/IP
Layered Product generating the events so maybe the weird thing
about both MULTINET and HP’s TCP/IP LP):
<br>
<br>
- DECNET logins are shown as REMOTE/NETWORK
<br>
- TCP/IP logins are shown as _LOCAL_.
<br>
<br>
I always wondered where the logic behind that was.
<br>
<br>
Is there any way to limit logins to say JUST NETWORK because
that would effectively disable TCP/IP logins, no?
<br>
<br>
Sampsa
<br>
<br>
<br>
</blockquote>
<br>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<p style="font-family: tahoma, sans-serif; color: rgb(153, 153,
153); font-size: 10px;">Supratim Sanyal<br>
<i><strong>Named must your fear be before banish it you can. -
Yoda</strong></i><br>
39.19151 N, 77.23432 W | Ph: +1 469 SANYALS (+1 469 726 9257) |
<a href="http://www.sanyal.org/" target="_blank">www.sanyal.org</a><br>
Sent via <a href="http://www.fossamail.org" target="_blank">FossaMail</a>
on Windows 10 Professional 64-bit / Intel Mobile Core 2 Duo
P8700 @ 2533 MHz</p>
<p><a href="https://www.facebook.com/supratim.sanyal"
title="Supratim Sanyal" target="_TOP"><img class="img"
src="cid:part3.06030702.09030106@riseup.net" style="border:
0px;" alt=""></a></p>
</div>
</body>
</html>