|
|
Informational Display During Login
This section describes how you can control the display ofvarious pieces of information that appear by default at login time,such as announcement, welcome, last login, and new mail messages.So that you can understand the effect of login restrictions, italso describes how the operating system processes the login fieldsof the system user authorization file (SYSUAF.DAT). In addition,this section describes the use of the secure server and how to setup intrusion detection.
Announcement Message
To provide an announcement message on your system, definethe system logical name SYS$ANNOUNCE in the site-specific startupcommand procedure SYS$MANAGER:SYSTARTUP_VMS.COM. The HPOpenVMS System Manager's Manual describes how to dothis. The announcement message appears at login.
The definition you provide here affects all users on the system.Because this message may provide a clue to the identity of the operatingsystem, you may decide not to display it.
Welcome Message
Similar to the announcement message, the welcome message iscontrolled through a system logical name, SYS$WELCOME. If you donot define SYS$WELCOME, a standard welcome message is provided forall users. This welcome message reveals the operating system andversion number, as well as the node if SYS$NODE is defined.
To define another message for SYS$WELCOME, you can createa text file containing the message. To display the contents of thisfile, use the following line in SYSTARTUP_VMS.COM:
To disable the welcome message, place the following DCL commandin SYS$MANAGER:SYSTARTUP_VMS.COM. This command prints a blank linein place of the standard welcome message.$
DEFINE/SYSTEM SYS$WELCOME "@SYS$MANAGER:WELCOME.TXT"
If you prefer to selectively disable the message for individualusers, you can use the AUTHORIZE qualifier /FLAGS=DISWELCOME onindividual UAF records.$
DEFINE/SYSTEM SYS$WELCOME " "
Last Login Messages
By default, the system displays three messages that provideinformation about the last logins and the number of failed loginattempts (see Reading Informational Messages"ReadingInformational Messages" on page 45 ). You canselectively disable the appearance of these three messages. Enter theAUTHORIZE qualifier /FLAGS=DISREPORT for specific users.
New Mail Announcements
By default, the system tells users the number of new mailmessages when they log in. You can prevent users from receivingthis notice by specifying the AUTHORIZE qualifier /FLAGS=DISNEWMAIL.
The new mail announcement is primarily a user convenience,not a security issue. If a user with a restricted account cannotinvoke the Mail utility (MAIL), then you might want to disable thenew mail message at the same time you prohibit mail access. Thefollowing AUTHORIZE qualifier accomplishes both tasks: /FLAGS=(DISMAIL,DISNEWMAIL)
Limiting Disconnected Processes
Virtual terminals let users maintain more than one disconnectedprocess at a time. Virtual terminals are also required by the secureserver feature (see Using the Secure Server).You may want to restrict the use of virtual terminals. For example,if you are concerned about the amount of nonpaged pool, you maynot want to enable this feature on a systemwide basis.
Virtual terminals can be disabled at the terminal, user, orsystem level:
You can also set the amount of time allowed for reconnectionto less than the default of 15 minutes with the system parameterTTY_TIMEOUT. A process that remains disconnected for longer thanthe timeout value is automatically logged out by the system. Limitingthe connection time tends to minimize the number of users who receivemessages, but it also affects the usefulness of the connection feature.
For more information on setting up and reconnecting to virtualterminals, refer to the HP OpenVMS System Manager's Manual.
Providing Automatic Login
You can assign accounts to particular terminals to enablean automatic login feature (see Automatic Login Accounts). This feature permitsusers to log in without specifying a user name. The operating system associatesthe user name with the terminal (or terminal server port) and maintainsthese assignments in the file SYS$SYSTEM:SYSALF.DAT, referred toas the automatic login file or the ALFfile. Maintain this file with the following System Managementutility (SYSMAN) commands:
Task | Command | Example |
---|---|---|
Adding terminal/user nameassociation | ALF ADD | ALF ADD TTA5 RENOLDS |
Adding terminal server/username association | ALF ADD/PORT | "M34C3/LC-1-2" RENOLDS |
Displayingrecords in ALF file | ALF SHOW | ALF SHOW TTA5 ALF SHOW /USERNAME=PONTRE |
Removing terminal/user nameassociation | ALF REMOVE | ALF REMOVE TTA3 ALF REMOVE /USERNAME=DOUGLAS |
The ALF file consists of one record for each terminal on whichautomatic logins are enabled. Each record consists of two fields:the device name or terminal server port name of the terminal, followedby the user name of an account. The device names must be uniquewithin the file. However, the same user name can occur in any numberof records; that is, one account can be automatically logged into an unlimited number of terminals.
The ALF file is an indexed file that does not need to be purged,but it should be backed up after a modification.
Using the Secure Server
Guidelines for Protecting Your Password"Guidelinesfor Protecting Your Password" on page 53 describespassword grabbers as a class of programs designed to steal passwordsfrom unsuspecting users who log in to terminals left on. The operatingsystem provides a secure terminal server that stops any currentlyexecuting process before the start of a login at that terminal.
Invoke the secure server separately for each terminal withthe following DCL command: SET TERMINAL/PERMANENT/SECURE/DISCONNECT term-id
The user must then press the Break key followed by the Returnkey to start a login. The login proceeds as usual.
If you apply the secure server to all terminals, you can makethe login procedure consistent throughout the site by putting theSET TERMINAL commands in the site-specific startup command procedure. However, certainapplications that may use the terminal as a communications lineneed to use the Break key for their own purposes, which would beincompatible with the secure terminal server.
The secure terminal server feature is also incompatible withautobaud handling. However, because autobaud handling is necessaryonly on modem terminals (switched and dialup terminals), the modemhandling on such terminals performs the equivalent of secure serverfunctions. For secure operation, set up the terminal characteristicsas follows:
Specifythe /DIALUP qualifier if the terminal port is accessible througha telephone line or the equivalent, regardless of the path (directmodem, data switch, terminal server, or public data network).
Always specify the /DISCONNECT qualifier to guard againstpassword grabbers. To prevent disconnected jobs from filling upyour system, set the system parameter TTY_TIMEOUT to a low timeoutvalue, which determines when disconnected processes are deleted.
If you decide to apply the secure server to individual terminals,include directly wired terminals located in public areas or remote,unsecured areas. Terminals never used for local or dialup loginsare not subject to this security problem. Terminals closely supervisedduring logins may also not require this measure.
Detecting Intruders
Occasionally people fail to log in correctly because theyenter an expired password or make a typing error. But not all failuresare benign: some occur because an unauthorized person is tryingto log in through an expired account or with an unknown user nameor is attempting to guess passwords on a valid account.
The operating system is sensitive to login failures. Afterone failure, it begins to monitor the terminal, terminal serverconnection, or network connection where the login is taking place.At first, the operating system records unsuccessful logins in anintrusion database. As failures continue, the operating system not onlyrecords failures but takes restrictive measures. The person attemptinglogin is monitored more closely and limited to a certain numberof login retries within a limited period of time. Once a personexceeds either the retry or time limitation, he or she cannot login for a while, even with a valid user name and password. At a laterpoint, the restriction eases, and login is allowed once again.
Understanding the Intrusion Database
The DCL command SHOW INTRUSION displays the contents of theintrusion database; Intrusion Database Display shows asample display. The database captures the following types of informationon login failures:
Field | Description |
---|---|
Intrusion class | The general source of failure:
|
Type | Severity of login failure:
|
Count | Number of login failuresassociated with a particular source. |
Expiration | Date and time when a suspect'srecord is deleted or when an intruder is allowed another chanceto log in. When an intruder's record reaches its expiration time,it becomes a suspect, and the failure count is reset to LGI_BRK_LIM.The expiration time is reset to the old expiration plus LGI_BRK_TMO. |
Source | Origin of the login failure:
|
Whenever the system detects an intruder, it sends an auditingmessage to the security operator terminal or the log file to alertyou. Using the DCL command SHOW INTRUSION, you can display the sourceand type of intrusion. For example, Intrusion Database Display shows a problem with a user named MAPLE who islogging in over the network. The user has tried to log in 8 times.Because the user failed to log in within the monitoring period, theoperating system suspended all logins from OMNI:.BOSTON.BIRCH::MAPLE. Intrusion Example gives a more detailedexplanation of how the system decides to suspend logins.
Notice that many suspects appear in the display. Sometimesusers forget their passwords or type them incorrectly. To removean entry from the database, use the DCL command DELETE/INTRUSION_RECORD.
How Intrusion Detection Works
Once a login failure occurs, a user becomes a suspect andis monitored for further failures for a period of time. The operatingsystem tolerates only so many login failures by the suspect duringthis given period of time before it declares the source of loginfailure to be an intruder. In other words, suspects become intrudersby exceeding their allowed chances for login during the monitoringperiod.
The chance count, set by the system parameter LGI_BRK_LIM,defines how many times a person can try logging in; the standardlimit is five times. The chance parameter works in tandem with atime factor controlled by the system parameter LGI_BRK_TMO. At eachlogin failure, the suspect's monitoring period is increased by thevalue of LGI_BRK_TMO. Thus, with each failure, the suspect is monitoredfor a longer period of time.
Intrusion Example illustratesa situation where evasive action results when user George failsfive times to log in. At each failure, the monitoring period isextended by 5 minutes. On the fifth failure, the operating systemlabels George an intruder and refuses to log him in. (Notice thatthe example assumes the parameters LGI_BRK_LIM and LGI_BRK_TMO areboth set to 5.)
Setting the Exclusion Period
An intruder can be excluded temporarily or permanently, dependingon system settings:
Enabling the LGI_BRK_DISUSER parameter can have serious consequencesbecause that user name is disabled until you manually intervene.If LGI_BRK_DISUSER is enabled, a malicious user can put all known accounts,including yours, out of service in a short time. To recover, youmust log in on the system console where the SYSTEM account is alwaysallowed to log in.
System Parameters Controlling Login Attempts
Parameters for Controlling Login Attempts describesthe system parameters controlling login and intrusion detection.
Security Server Process
The Security Serverprocess, which is created as part of the normal operating systemstartup, performs the following tasks:
The system uses the intrusion database to keep track of failedlogin attempts. This information is scanned during process loginto determine if the system should take restrictive measures to preventaccess to the system by a suspected intruder. You can display thecontents of this database by issuing the DCL command SHOW INTRUSION,as shown in Intrusion Database Display.You can delete information from the database by issuing the DCLcommand DELETE/INTRUSION.
The network proxy database file (NET$PROXY.DAT) is used duringnetwork connection processing to determine if a specific remoteuser may access a local account without using a password. You canmanage the information in this database with the Authorize utility.
|
|