LISTSERV - HP3000-L Archives

HP3000-L Archives

March 1999, Week 1

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L March 1999, Week 1

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Attacking HP3000 from behind a large private global network ( ...
From:	Wirt Atmar <[log in to unmask]>
Reply To:	[log in to unmask]
Date:	Sat, 6 Mar 1999 14:14:50 EST
Content-Type:	text/plain
Parts/Attachments:	text/plain (59 lines)

John Korb writes:

> While on this topic, perhaps someone can answer a couple of questions.
>
>  Do any of the security packages available collect and log the IP address of
>  the source of FAILED LOGIN ATTEMPTS (HELLO commands which have an invalid
>  session name, user name, account name, group name, user password, account
>  password, group password, or other HELLO command parameter)?

John's question comes very close to an algorithm that we (meaning all of us
here on this list) worked out a few months ago. Rather than have the HP3000
merely log the IP addresses of the failed logon attempts, the rules that we
cooperatively decided upon were to have MPE write a time-stamped version of
the remote IP address into the deny list of the INETDSEC.NET.SYS file.

The general rules were:

     o After 10 sequential failed logon attempts, write the remote IP address
into the deny list, with a time-stamp

     o Log the remote IP address into a log file at the same time

     o After 24 hours, remove the time-stamped IP address from the INETDSEC
file. Doing this prevents the permanent denial of a legitimate remote IP
address that has been spoofed with the absolute minimum of human monitoring
(essentially none, which will be important for small and/or remote office
installations).

     o The numeric values listed above would be the defaults, but the number
of failures before entry into the deny list and the decay times of the
rejected IP addresses could be configured by a system manager to what he or
she feels are more appropriate values, if desired.

The way to break a password attack is to simply slow it down. Allowing only 10
failed attempts a day will essentially extend an attempt to break one password
to a period longer than the Sun is expected to shine. Further, doing this adds
security to both internal and external attacks. Distance (or being inside or
outside of a firewall) is irrelevant to being a "remote IP" address. Ten
failed attempts and you're denied, regardless of where you sit topologically.

As pointed out before, this algorithm will do nothing to suppress denial-of-
service attacks, but neither are denial-of-service attacks anything new.
People have programmed their computers to dial Jerry Falwell's or Pat
Robertson's (or anyone else they disagree with) 800 numbers every few seconds.
These actions have generally been declared criminal and have been prosecuted.
These sorts of attacks will always likely have to be responded to at the point
of origin, not at the receiver's end.

No algorithm is a panacea, but this one is simple; it should be easy to
implement; and it can only add to the security of HP3000's directly connected
to the internet, particularly so in small offices where elaborate and intense
system management is neither available nor desired.

The question is now: how do we get this enhancement request onto the system
improvement ballot? It was talked about at the time of the last discussion,
but nothing seemed to come of it.

Wirt Atmar

ATOM RSS1 RSS2

RAVEN.UTC.EDU