Conference lassie::ucx

5369.0. "Wrong information registered in intrusion database" by KETJE::STAES (Topless = No brains at all) Fri Mar 21 1997 08:12

It seems that TELNET updates the intrusion database with the name of the
TARGET USER instead of the name of the SOURCE USER.

I did following tests using a $ SET HOST/TELNET command.

(1) In the first example I entered an unexisting USERNAME/PASSWORD
    combination.  This was registered with source = IP address of the node
    from which the attempt was made.

    Intrusion       Type       Count        Expiration         Source
       TERMINAL     SUSPECT       1   21-MAR-1997 14:05:51.59  16.183.0.209:

(2) In the second example I used a valid username but invalid password
    for an existing account on the remote node.  This was registered using
    the username of the target user as source.

    Intrusion       Type       Count        Expiration         Source
       USERNAME     SUSPECT       1   21-MAR-1997 14:02:16.02  STEUKERS


I believe that the name of the TELNET user is not sent over to the target
host.  Although unhappy with this I have to accept it.  What I cannot
accept is that the intrusion database gets updated with the name of the
target user.

The above test were done using UCX 4.1 and VMS 6.2, both on target and
remote node.  The SYSGEN LGI_BRK_TERM parameter was set to 0 on target
node.

Can this be fixed?
Nand.

    It would seem that LOGINOUT is the component responsible for logging
    the intrusion attempt.  What can TELNET do to provide more information
    to LOGINOUT about the connection?

Not having access to the source code, I presumed that TELNET was updating the
intrusion databases itself via the $SCAN_INTRUSION and $DELETE_INTRUSION
services. 

Reading .1 I now tend to believe TELNET informs LOGINOUT, but in a wrong way.

I would expect to see something like {Unknown} or {NONAME} being recorded as
remote user information.  Not the name of a - probably innocent - local user.