26 Oct
2016
26 Oct
'16
2:01 a.m.
On 25 Oct 2016, at 22:23, Johnny Billquist <bqt at
softjar.se> wrote:
On 2016-10-25 19:51, G. wrote:
Here?s the weird thing about VMS (well I guess it?s the TCP/IP Layered Product generating
the events so maybe the weird thing about both MULTINET and HP?s TCP/IP LP):
- DECNET logins are shown as REMOTE/NETWORK
- TCP/IP logins are shown as _LOCAL_.
I always wondered where the logic behind that was.
Is there any way to limit logins to say JUST NETWORK because that would effectively
disable TCP/IP logins, no?
Sampsa
On Tue, 25 Oct 2016 17:48:45 +0300, Sampsa Laine
wrote:
Totally agree on disabling interactive logins. But I would perhaps limit that to just
network logins. (I believe VMS can also make that distinction.)
However, if the intrusion system disables the account, it becomes a rather ugly DOS
vector. Not sure how they were thinking there?
Also, is renaming the SYSTEM account likely to
break stuff? They seem to be
targeting that specific username so I figured I?d change it to STALIN or
something?
Instead of renaming it, you may want to disable interactive logins for the
SYSTEM account altogether, or you may want to investigate about tightening
timeouts for the intrusion detection function (see SHOW INTRU command), so
that VMS will not allow logins from accounts for which a certain threshold
has been reached, even if the attacker guesses the password. :)