[HECnet] Botnet hits on 23/tcp
Sampsa Laine
sampsa at mac.com
Tue Oct 25 17:01:52 PDT 2016
> On 25 Oct 2016, at 22:23, Johnny Billquist <bqt at softjar.se> wrote:
>
> On 2016-10-25 19:51, G. wrote:
>> On Tue, 25 Oct 2016 17:48:45 +0300, Sampsa Laine wrote:
>>
>>> Also, is renaming the SYSTEM account likely to break stuff? They seem to be
>>> targeting that specific username so I figured I’d change it to STALIN or
>>> something…
>>
>> Instead of renaming it, you may want to disable interactive logins for the
>> SYSTEM account altogether, or you may want to investigate about tightening
>> timeouts for the intrusion detection function (see SHOW INTRU command), so
>> that VMS will not allow logins from accounts for which a certain threshold
>> has been reached, even if the attacker guesses the password. :)
>
> Totally agree on disabling interactive logins. But I would perhaps limit that to just network logins. (I believe VMS can also make that distinction.)
>
> However, if the intrusion system disables the account, it becomes a rather ugly DOS vector. Not sure how they were thinking there…
>
Here’s the weird thing about VMS (well I guess it’s the TCP/IP Layered Product generating the events so maybe the weird thing about both MULTINET and HP’s TCP/IP LP):
- DECNET logins are shown as REMOTE/NETWORK
- TCP/IP logins are shown as _LOCAL_.
I always wondered where the logic behind that was.
Is there any way to limit logins to say JUST NETWORK because that would effectively disable TCP/IP logins, no?
Sampsa
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.sonic.net/pipermail/hecnet-list/attachments/20161026/74022415/attachment-0001.sig>
More information about the Hecnet-list
mailing list