[HECnet] Botnet hits on 23/tcp

Kari Uusimäki uusimaki at exdecfinland.org
Tue Oct 25 21:24:54 PDT 2016 

You can limit different types of logins in different ways.
E.g. by defining when you can login in the UAF.

Anyhow, I wouldn't be too concerned about those scripties. The DECUS 
server in Finland has been online since early 90's and noone has ever 
succeeded to break in.
Telnet was enabled until about a year ago and the SYSTEM account has 
been enabled normally.

Two settings are recommended to make the life bitter for the scripties. 
First extend the breakin system parameters to make the waiting time 
really long and second limit the maximum sessions of telnet or ssh. Then 
the scripties will try for a while, but soon they'll be bored and find 
an easier target. And your system will not be much affected.



Kari


On 26.10.2016 3:01, Sampsa Laine wrote:
>> On 25 Oct 2016, at 22:23, Johnny Billquist <bqt at softjar.se> wrote:
>>
>> On 2016-10-25 19:51, G. wrote:
>>> On Tue, 25 Oct 2016 17:48:45 +0300, Sampsa Laine wrote:
>>>
>>>> Also, is renaming the SYSTEM account likely to break stuff? They seem to be
>>>> targeting that specific username so I figured I’d change it to STALIN or
>>>> something…
>>> Instead of renaming it, you may want to disable interactive logins for the
>>> SYSTEM account altogether, or you may want to investigate about tightening
>>> timeouts for the intrusion detection function (see SHOW INTRU command), so
>>> that VMS will not allow logins from accounts for which a certain threshold
>>> has been reached, even if the attacker guesses the password. :)
>> Totally agree on disabling interactive logins. But I would perhaps limit that to just network logins. (I believe VMS can also make that distinction.)
>>
>> However, if the intrusion system disables the account, it becomes a rather ugly DOS vector. Not sure how they were thinking there…
>>
> Here’s the weird thing about VMS (well I guess it’s the TCP/IP Layered Product generating the events so maybe the weird thing about both MULTINET and HP’s TCP/IP LP):
>
> - DECNET logins are shown as REMOTE/NETWORK
> - TCP/IP logins are shown as _LOCAL_.
>
> I always wondered where the logic behind that was.
>
> Is there any way to limit logins to say JUST NETWORK because that would effectively disable TCP/IP logins, no?
>
> Sampsa
>
>

More information about the Hecnet-list mailing list