skip book previous and next navigation links
go up to top of book: HP OpenVMS System Manager's Manual, Volume 1:... HP OpenVMS System Manager's Manual, Volume 1:...
go to beginning of chapter: Security Considerations Security Considerations
go to previous page: Managing Passwords Managing Passwords
go to next page: Understanding Ways to Protect ObjectsUnderstanding Ways to Protect Objects
end of book navigation links

Using Intrusion Detection Mechanisms  



This section describes how to set up intrusion detection and evasion and how to display the intrusion database.

Controlling the Number of Retries on Dialups

You can control the number of login attempts the user is allowed through a dialup line. If the user makes a typing mistake after obtaining the connection, the user does not automatically lose the connection. This option is useful for authorized users, while still restricting the number of unauthorized attempts.

To implement control of retries, use the following two LGI system parameters: LGI_RETRY_TMO and LGI_RETRY_LIM. If you do not change the values of these system parameters, the default values allow the users three retries with a 20-second interval between each.

Keep in mind that controlling dialup retries is only a part of an overall security program and is not, in itself, sufficient to avoid break-ins. An obstacle like redialing is not going to prove an effective deterrent to a persistent intruder.

Discouraging Break-In Attempts Further

The OpenVMS operating system offers additional methods of discouraging break-in attempts. These methods also use system parameters in the LGI category.

Parameter Description
LGI_BRK_LIM
Defines a threshold count for login failures. When the count of login failures exceeds the LGI_BRK_LIM value within a reasonable time interval, the system assumes that a break-in is in progress.
LGI_BRK_TERM
Controls the association of terminals and user names for counting failures.
LGI_BRK_TMO
Controls the time period in which login failures are detected and recorded.
LGI_HID_TIM
Controls the duration of the evasive action.
LGI_BRK_DISUSER
Makes the effects of intrusion detection more severe. If you set this parameter to 1, the OpenVMS operating system sets the DISUSER flag in the UAF record for the account where the break-in was attempted. Thus, that user name is disabled until you manually intervene.

Refer to the HP OpenVMS Guide to System Security for a full description of these parameters.

Displaying the Intrusion Database

The Security Server process, which is created as part of normal operating system startup, performs the following tasks:

The intrusion database keeps track of failed login attempts. This information is scanned during process login to determine if the system should take restrictive measures to prevent access to the system by a suspected intruder.

Use the DCL command SHOW INTRUSION to display the contents of the intrusion database. Use the DCL command DELETE/INTRUSION_RECORD to remove entries from the intrusion database.

The network proxy database file (NET$PROXY.DAT) is used during network connection processing to determine if a specific remote user may access a local account without using a password. The information contained in this database is managed by the Authorize utility.

The following example shows the expanded expiration time field in the new SHOW INTRUSION output.

$ SHOW INTRUSION
Intrusion       Type       Count        Expiration         Source
   NETWORK      SUSPECT       1   21-MAY-2000 12:41:01.07  DEC:.ZKO.TIDY::SYSTEM
go to previous page: Managing Passwords Managing Passwords
go to next page: Understanding Ways to Protect ObjectsUnderstanding Ways to Protect Objects