HP3000-L Archives

April 2002, Week 4

HP3000-L@RAVEN.UTC.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Hacker question
From:
John Korb <[log in to unmask]>
Reply To:
John Korb <[log in to unmask]>
Date:
Wed, 24 Apr 2002 12:13:20 -0400
Content-Type:
text/plain
Parts/Attachments:
text/plain (354 lines) 
":showvar @;job=#S6224" may be an enhancement implemented in 7.0, as it 
works for me and we are running 7.0 express 1 with patches.  From the HELP 
command:

:help showvar
SHOWVAR

      Displays specific variable names and their current values.

SYNTAX

      SHOWVAR [varid][,varid]...[,varid]
              [job= jobID ]
              [;USER | HP | ANY]

KEYWORDS: PARMS,OPERATION,EXAMPLE
:

A few years ago I developed a UDC file that logs IP address and other 
information to a circular file as well as sending the information to the 
console.

Features:
    o Obtains IP address and other information, uses TELLOP to send that
      information to the console, and thus, to the console log.
    o Writes IP address information to a circular log file on disc for
      quick and easy scanning (LOGIPADR.LOG.SYS).
    o Validates IP addresses on sessions logging in by checking IP address
      against those listed in a file (NSVTSEC.NET.SYS).

Below is a copy of the UDC file followed by a file named "NSVTSEC.NET.SYS" 
that contains a list of the networks or specific IP addresses allowed 
access to the system.   The UDC should be set as a SYSTEM UDC so that it is 
executed by users at login.

The UDCs need for there to be a LOG group in the SYS account, and if one 
doesn't exist, will create a LOG group and a circular log file the next 
time MANAGER.SYS logs in.  Thus, after you create the NSVTSEC file 
SETCATALOG you should log on as MANAGER.SYS.  If you don't log in as 
MANAGER.SYS, the UDC will send an informatory message to the console at 
each login telling you that it isn't able to log the login information.

The log file created is named LOGIPADR.LOG.SYS.  When the UDCs reject a 
login because its IP address isn't allowed (doesn't exist in the 
NSVTSEC.NET.SYS file), the record written to LOGIPADR contains the text 
{IP_Rejected}.  If you log in from the system console or another serial 
device, the log record contains the text {No_IP_Addr}.

The console messages sent by the UDC contain IP address and other 
information, as available.  By examining the variables defined at login, 
the UDC determines whether the network login was via NS-VT or Telnet.

Enjoy!

John


logoniptest
option logon,nobreak,nolist,nohelp
setvar HPsysName "Tron"
comment   LogonIP    1.10.05    3/26/02 JPK
comment
comment   Created 12/15/97 by John P. Korb
comment
comment   This UDC checks the user's IP address against a list of
comment   of trusted networks kept in the file NSVTSEC.NET.SYS.
comment   The LogonIPTest UDC also sets the HPPATH variable.
comment
setvar SaveMsgFence HPMsgFence
setvar HPMsgFence 1
setvar  true  1
setvar  false 0
setvar  validip false
if hpjobtype = "S" then
    if hpremipaddr <> "" then
       if finfo("nsvtsec.net.sys","Exists") then
          if finfo("nsvtsec.net.sys","EOF") <> 0 then
             tsetpinogol 10612 <nsvtsec.net.sys
             continue
             owttsetpinogol 10612
             if bound(hpstdin_network_node)
                echo !hpintrodate !hpintrotime !hpjobtype!hpjobnum &
                   !hpldevin !hpuser.!hpaccount !hpremipaddr &
                   !hpstdin_network_node > *sss
                tellop *** NSVT Logon from !hpremipaddr device &
                   !hpstdin_network_node
             else
                echo !hpintrodate !hpintrotime !hpjobtype!hpjobnum &
                   !hpldevin !hpuser.!hpaccount !hpremipaddr > *sss
                tellop *** Telnet Login from !hpremipaddr
             endif
             reset sss
             setvar hpmsgfence savemsgfence
          endif
       else
          continue
          owttsetpinogol 10612
          if bound(hpstdin_network_node)
             echo !hpintrodate !hpintrotime !hpjobtype!hpjobnum &
                !hpldevin !hpuser.!hpaccount !hpremipaddr &
                !hpstdin_network_node {Unchecked}> *sss
             tellop *** NSVT Logon from !hpremipaddr device &
                !hpstdin_network_node
          else
             echo !hpintrodate !hpintrotime !hpjobtype!hpjobnum &
                !hpldevin !hpuser.!hpaccount !hpremipaddr &
                {Unchecked}> *sss
             tellop *** Telnet Login from !hpremipaddr
          endif
          reset sss
          tellop *** Warning: Logon IP address checks NOT in effect ***
       endif
    else
       tellop *** Non-IP logon ***
       owttsetpinogol 10612
       echo !hpintrodate !hpintrotime !hpjobtype!hpjobnum &
          !hpldevin !hpuser.!hpaccount {No_IP_Addr} > *sss
       reset sss
    endif
endif
deletevar validip,true,false
setvar HPMsgFence SaveMsgFence
comment
comment   ------ Other Logon Code Follows This Line ------
setvar HPPath "!!hpgroup,pub,pub.sys,arpa.sys,hpbin.sys"
setvar HPMsgFence 2
continue
setvar HPMsgFence SaveMsgFence
setjcw CIERROR 0
setvar hpredosize 250
file dontprnt;dev=lp,1;env=lp3hole.env.sys
setvar tz "EST5EDT"
******
tsetpinogol pass
option nobreak,nolist,nohelp
comment
comment   This UDC is called from LogonIPtest and is NOT to
comment   be invoked independently!
comment
if !pass <> 10612 then
    echo Smart people don't mess with this UDC.
    bye
endif
comment   Scan nsvtsec.net.sys to see if the user's IP is allowed.
comment   If not allowed, reject the user and BYE them off the system.
comment
setvar  record ""
setvar  blankpos 1
setvar  reclimit finfo ("nsvtsec.net.sys","EOF")
setvar  reccount 0
while reccount < reclimit and validip = false do
    input record
    if str(record,1,1) <> "#" then
       setvar  blankpos  pos(" ",record,1)
       if blankpos <> 0 then
          setvar  record  str(record,1,blankpos-1)
       endif
       if pos(record,hpremipaddr,1) = 1 then
          setvar validip true
       endif
    endif
    setvar reccount reccount+1
endwhile
if validip = false then
    file sss=logipadr.log.sys,old;acc=append;save
    if bound(hpstdin_network_node)
       echo !hpintrodate !hpintrotime !hpjobtype!hpjobnum &
          !hpldevin !hpuser.!hpaccount !hpremipaddr &
          !hpstdin_network_node {IP_Rejected} > *sss
       tellop *** Logon from !hpremipaddr device &
          !hpstdin_network_node REJECTED
    else
       echo !hpintrodate !hpintrotime !hpjobtype!hpjobnum &
          !hpldevin !hpuser.!hpaccount !hpremipaddr &
          {IP_Rejected} > *sss
       tellop *** Login from !hpremipaddr REJECTED
    endif
    reset sss
    echo No access permitted from ip !hpremipaddr
    bye
endif
deletevar reclimit,reccount,record,blankpos
******
owttsetpinogol pass
option nobreak,nolist,nohelp
comment
comment   This UDC is called from LogonIPtest and is NOT to
comment   be invoked independently!
comment
if !pass <> 10612 then
    echo Smart people don't mess with this UDC.
    bye
endif
comment   Make sure the LOG group exists, then check for the log
comment   file.
comment   For errors, notify the console of errors, then set the file
comment   equation for sss to $NULL.
comment
setvar groupexists false
setvar fileexists false
if not finfo("/SYS/LOG","exists") then
    tellop *** Warning: Logon IP address info not logged ***
    tellop *** The LOG.SYS group DOES NOT EXIST ***
    file sss=$NULL
    if hpuser="MANAGER" and hpaccount="SYS" then
       setjcw cierror = 0
       continue
       newgroup log.sys;access=(r,w,l,x,s:AC;a:ANY)
       if cierror <> 0 then
          tellop *** Attempt at Creating LOG.SYS group FAILED ***
       else
          tellop *** LOG.SYS group created ***
          setvar groupexists true
       endif
    endif
else
    setvar groupexists true
endif
if groupexists = true then
    if not finfo("logipadr.log.sys","exists") then
       if hpuser="MANAGER" and hpaccount="SYS" then
          setjcw cierror = 0
          continue
          build logipadr.log.sys;rec=-1276,1,v,ascii;cir;disc=500
          if cierror <> 0 then
             tellop *** Build of LOGIPADR.LOG.SYS FAILED ***
          else
             setjcw cierror = 0
             continue
             altsec logipadr.log.sys;newacd=(&
                w,racd:$owner,$group,$group_mask,@.@;&
                r,w,x,a,l:@.sys)
             if cierror <> 0 then
                tellop *** ALTSET of LOGIPADR.LOG.SYS FAILED ***
                continue
                purge logipadr.log.sys
             else
                tellop *** LOGIPADR.LOG.SYS created ***
                setvar fileexists true
             endif
          endif
       endif
    else
       setvar fileexists true
    endif
    if fileexists = false then
       tellop *** Warning: Logon IP address info not logged ***
       tellop *** The file LOGIPADR.LOG.SYS DOES NOT EXIST ***
       file sss=$NULL
    else
       file sss=logipadr.log.sys,old;acc=append;save
    endif
endif
deletevar groupexists, fileexists
******



#  NSVTSEC.NET.SYS - Created by John P. Korb for use with the
#  logoniptest UDC.
#
#  This file contains (left justified) the ip addresses of those
#  networks allowed to access the system through non-FTP sessions.
#
# JPK 03/26/02 - Updated for use on TRON.
# JPK 12/15/97 - Created by John P. Korb.  Used by the logoniptest
#                UDC to restrict session access to certain IP
#                addresses or ranges of addresses.
#
10
127.0.0.1




At 2002-04-24 11:00 AM, John Clogg wrote:
>I tried Per's suggestion and it didn't work.  I was not able to see any
>HP-defined variables, only the user-defined ones.  In fact, the
>documentation confirms that this is the expected behavior.  Has this changed
>on a later release (we're on 6.5 PP2)?  Is there a patch available to enable
>this capability?
>
>-----Original Message-----
>From: Per Ostberg [mailto:[log in to unmask]]
>Sent: Wednesday, April 24, 2002 2:40 AM
>To: [log in to unmask]
>Subject: SV: Re: [HP3000-L] Hacker question
>
>
>as an addition to Wirts suggestion of using an "option logon"-udc
>(where you have acces to all session-info), there's an enhancement to
>the :SHOWVAR command, where you can specify a job/session number (as in:
>
>:showvar @;job=#S6224
>HPSTDIN_ACCESS_TYPE = NS/VT
>HPSTDIN_TERMINAL_TYPE = 0 (T_DATA_ENTRY(4))
>HPSTDIN_TRANSPORT_TYPE = TCP/IP
>HPSTDIN_NETWORK_NODE = MYPC.MYDOMAIN.SE
>HPSTDIN_NETWORK_ADDR = x.y.z.x
>HPSTDIN_LINK_ADDR = not set yet...
>HPVT_CLIENT_VENDOR = WRQ_CONNECTION_3000_FOR_WINDOWS
>HPVT_CLIENT_OPSYS = MS_DOS
>HPVT_CLIENT_MODE = STREAM_MODE
>HPVT_CLIENT_TCP_PORT = 3840
>HPVT_CLIENT_LDEV_NUM =
>HPVT_CLIENT_JOB_NUM =
>HPVT_CLIENT_JOB_NAME =
>TZ = MET-1METDST
>VSETNEXTCENTURY = 3
>)
>
>hth
>/per
>
>--------------------------------------------------
>Per Östberg  / [log in to unmask]
>tel 08-585 812 13
>mob 070-484 02 53 / fax 08-585 877 10
>LabMedicin-IT, Huddinge Universitetssjukhus
>C1 51 / 141 86  HUDDINGE
>--------------------------------------------------
>
>
> > -----Ursprungligt meddelande-----
> > Från: Richard.Barker /internet [mailto:[log in to unmask]]
> > Skickat: den 24 april 2002 10:50
> > Till: HP3000-L /internet
> > Kopia: Richard.Barker /internet
> > Ämne: Re: [HP3000-L] Hacker question
> >
> >
> > Hi
> >
> > We've got someone logging on to our system as an unauthorised
> > user.  Now I
> > can easily kick them off, but I would love to know if it is someone
> > internally logging on.
> >
> > Is there anyway I can narrow down the Reflection session or
> > the IP address.
> >
> > * To join/leave the list, search archives, change list settings, *
> > * etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
> >
>
>* To join/leave the list, search archives, change list settings, *
>* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
>
>* To join/leave the list, search archives, change list settings, *
>* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2