From: Dr. Hans Ekkehard Plesser (hans.ekkehard.plesser@nlh.no)
Date: Mon Aug 23 2004 - 11:37:07 EDT
Hi!
I am managing a GS1280 under Tru64 V5.1B PK3 with C2 security. Recently, the
following problem occured:
1. An attacker attempted a large number of ssh-logins to the root account.
After 100 failed attempts, the account was automatically locked. I
discovered this on Friday night via a remote connection, but the lock
probably occured a few days earlier.
2. On Monday morning, another adminstrator tried to log in directly on the
machine, but received a message that only console logins were permitted.
3. Monday afternoon, su from privileged user accounts to root were possible
again. In the auth.log, I found the following messages:
Aug 23 14:21:45 caspar syslog: auth_lrpc_putent: prpasswdd timeout on
validated connection
Aug 23 14:21:45 caspar prpasswdd[657]: restarting after child received signal:
11
Aug 23 14:21:45 caspar prpasswdd[371322]: prpasswdd: Recovering the log: last
valid LSN: file: 1 offset 966056
Aug 23 14:21:45 caspar prpasswdd[371322]: now active and servicing client
requests
These messages started at 9:06, when my colleague first tried to log in on the
machine and continued every five minutes until 14:41, when the machine opened
up again for root. Since then, the message has not appeared again.
Being rather new to Tru64 administration, I wonder what the above message
wants to tell me.
Thank you in advance for your advice!
Hans
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:50:06 EDT