On 25 Sep 2013, at 16:47, Mark Wickens <mark at wickensonline.co.uk> wrote:
I'd seriously consider picking Steven Hoffman's brains on this before opening a system up to the world.
I had thought about trying to get a VMS box collocated for a 'UK deathrow' experience but Hoff seriously put me off the idea ;)
And I think you have the same 'seat of your pants' mentality that I do, which probably isn't a win when you're looking to manage a public facing system (or at least a public facing system that the public know about!)
Mark.
This is why I manually verify any new user applications and audit what they do for a while. I don't get many hacking attempts or anything on the boxes that I've got telnet open on, it's a different matter once they have an account of course.
I could maybe move the HILANT cluster into its own VLAN, so IP access from there wouldn't be a big deal, could even firewall most outgoing traffic.
sampsa
Hi Sampsa,
I was considering updating the HECNET-INFO in INFO.TXT with an
ACCESS field. At present it contains:
REGISTER,NOGUEST,NOIP
The latter means it is not connected to the internet.
With the OS and hardware information, this may be useful for
people to see how they can get access to an interesting machine.
I hadn't played with FAL for many months, so I discovered the password
settings for the DECNET accounts and objects were inconsistent, probably
resulting in the security alarms I had mailed you about some time
ago (sorry)!
Erik
On Wed, Sep 25, 2013 at 11:48:39AM +0200, Sampsa Laine wrote:
Of course I am more worried about the non-DEC stuff which could be 'pwned' using a VMS or Ultrix system as a beachhead.
That's my concern as well, I really don't want to put my HECnet stuff on a separate VLAN, right now it's on my internal network with all my other stuff.
Is it posible to deny an user access to the IP stack (either UCX or multinet)? If so, I would setup my guest accounts to 'decnet only' access.
I'd like to do this as well - if the user has no access to IP, I'd be happier to let pretty much anyone in.
sampsa
On 25/09/2013 01:54, Sampsa Laine wrote:
I'm always happy to take more users onto CHIMPY and the HILANT clusters - you think I should let people in comp.os.vms know about these?
Does anybody mind 'outsiders' getting access to HECnet?
I don't mind. Most will probably not explore the fact that there is a big DECnet behind the machines.
It is not that we are preventing people today either. It's just that there have never been much fuss about HECnet.
However, I can understand if some people feel worried about traffic and issues. If so, let us know, and we'll try to think of what to do.
This is why I manually vet the account requests - if the email address or name seem totally bullshit, I just ignore the request.
I get maybe 2-3 new users per week on each system..I personally don't want to let the Deathrow guys behind my firewall :)
sampsa
Sampsa
I'd seriously consider picking Steven Hoffman's brains on this before opening a system up to the world.
I had thought about trying to get a VMS box collocated for a 'UK deathrow' experience but Hoff seriously put me off the idea ;)
And I think you have the same 'seat of your pants' mentality that I do, which probably isn't a win when you're looking to manage a public facing system (or at least a public facing system that the public know about!)
Mark.
--
http://www.wickensonline.co.ukhttp://hecnet.euhttp://declegacy.org.ukhttp://retrochallenge.nethttps://twitter.com/#!/%40urbancamo
On 25 Sep 2013, at 16:45, Mark Wickens <mark at wickensonline.co.uk> wrote:
Quite possibly. But then I've been asleep since then...
Maybe you just forgot to close the session
sampsa <sampsa at mac.com>
mobile +358 40 7208932
Hello!
Okay, since under an earlier agreement I am not allowed to blame something else.
-----
Gregg C Levine gregg.drwho8 at gmail.com
"This signature fought the Time Wars, time and again."
On Wed, Sep 25, 2013 at 10:42 AM, Mark Wickens <mark at wickensonline.co.uk> wrote:
On 25/09/2013 15:30, Sampsa Laine wrote:
Nope, just saw that the guy was logged into the launch pad from a UK BT
ISP address for 7 hours.
Maybe someone just forgot to close a window or something.
I should probably implement logging for LAUNCH at some point.
sampsa <sampsa at mac.com>
mobile +358 40 7208932
As with most of these things, it's probably safe to assume that I am the
root cause ;)
Mark.
--
http://www.wickensonline.co.ukhttp://hecnet.euhttp://declegacy.org.ukhttp://retrochallenge.nethttps://twitter.com/#!/%40urbancamo
Did you telnet into CHIMPY last night? That would solve the mystery..
sampsa <sampsa at mac.com>
mobile +358 40 7208932
On 25 Sep 2013, at 16:42, Mark Wickens <mark at wickensonline.co.uk> wrote:
On 25/09/2013 15:30, Sampsa Laine wrote:
Nope, just saw that the guy was logged into the launch pad from a UK BT ISP address for 7 hours.
Maybe someone just forgot to close a window or something.
I should probably implement logging for LAUNCH at some point.
sampsa <sampsa at mac.com>
mobile +358 40 7208932
As with most of these things, it's probably safe to assume that I am the root cause ;)
Mark.
--
http://www.wickensonline.co.ukhttp://hecnet.euhttp://declegacy.org.ukhttp://retrochallenge.nethttps://twitter.com/#!/%40urbancamo
Nope, just saw that the guy was logged into the launch pad from a UK BT ISP address for 7 hours.
Maybe someone just forgot to close a window or something.
I should probably implement logging for LAUNCH at some point.
sampsa <sampsa at mac.com>
mobile +358 40 7208932
On 25 Sep 2013, at 16:24, Gregg Levine <gregg.drwho8 at gmail.com> wrote:
Hello!
I can tell you very definitely it wasn't me. Do your logs show any
more information while your favorite simian as system was signed into?
-----
Gregg C Levine gregg.drwho8 at gmail.com
"This signature fought the Time Wars, time and again."
On Wed, Sep 25, 2013 at 6:01 AM, Sampsa Laine <sampsa at mac.com> wrote:
Did any of you guys get a lot of logins from CHIMPY yesterday?
Looks like somebody was signed into the LAUNCH account for 7+ hours..
24-SEP-2013 18:53:47.95 LOGIN REMOTE CHIMPY LAUNCH 0003273A Host: host86-138-13-111.range
25-SEP-2013 02:37:41.49 LOGOUT REMOTE CHIMPY LAUNCH 0003273A Host: host86-138-13-111.range
sampsa <sampsa at mac.com>
mobile +358 40 7208932
On Wed, Sep 25, 2013 at 11:48:39AM +0200, Sampsa Laine wrote:
Of course I am more worried about the non-DEC stuff which could be 'pwned' using a VMS or Ultrix system as a beachhead.
That's my concern as well, I really don't want to put my HECnet stuff on a separate VLAN, right now it's on my internal network with all my other stuff.
You don't?
SLACKER! :)
Is it posible to deny an user access to the IP stack (either UCX or multinet)? If so, I would setup my guest accounts to 'decnet only' access.
I'd like to do this as well - if the user has no access to IP, I'd be happier to let pretty much anyone in.
I know you can do it with DECnet, but I don't know about IP. That would
be nifty if you could.
-brian
