[HECnet] Botnet hits on 23/tcp
G.
gerry77 at mail.com
Tue Oct 25 12:44:40 PDT 2016
On Tue, 25 Oct 2016 21:23:17 +0200, Johnny Billquist wrote:
> Totally agree on disabling interactive logins. But I would perhaps limit
> that to just network logins. (I believe VMS can also make that distinction.)
Yes, I forgot that. At the moment I do not even remember if that does work
with all the available TCP/IP implementations (Digital, Process Software,
etc.). I seem to remember that there was some difference among them in the
way they honoured that flag in the user authorization file...
> However, if the intrusion system disables the account, it becomes a
> rather ugly DOS vector. Not sure how they were thinking there...
Actually it does not completely disable the profile: it just sets some
timers which control for how much time an account could not login, even with
the good password. As soon as someone tries a bad password the account gets
flagged as suspect and a timer is started; if the bad password is tried a
certain number of times before the timer expires, the account is flagged as
intruder, a new timer is set and logins for that account are disabled. If
I'm not wrong, this second timer is reset every Nth attempt at login, So the
more you try the more you wait. It's a DOS, but at least auto-restoring.
IIRC, there are hooks in LOGINOUT.EXE that allow for an external program to
be called upon certain events, so that its behaviour can be customised in
some way, but I've never really studied it, so I cannot say for sure. :)
G.
More information about the Hecnet-list
mailing list