Re: PERFSVM question

[Jim Bohnsack]

I've seen logon attacks thru FTPSERVE before and, as I remember, looking at the FTPSERVE console showed the activity.  I've seen 3 different attempts in the last couple of weeks and the FTPSERVE console doesn't show a thing. Jim Adam Thornton wrote: On Jul 8, 2009, at 11:15 AM, David Boyes wrote: Simple answer: put a Linux guest in front of the VM TCP stack with the old address as the external address, renumber the VM stack to a RFC1918 address on an internal guest lan, and enable IP Masquerade in iptables. That gets you all sorts of useful info, and lets you shut them down cold. Add one of the IDS toolkits, and you can clobber the twerps network wide. -----Original Message----- From: The IBM z/VM Operating System [mailto:IBMVM@LISTSERV.UARK.EDU] On Behalf Of Jim Bohnsack Sent: Wednesday, July 08, 2009 11:02 AM To: IBMVM@LISTSERV.UARK.EDU Subject: PERFSVM question We saw a bunch of logon attempts a night ago to userid ADMINIST which I do not have defined in the directory. There were about 2,500 over the course of 2 hours. They were apparently not coming in thru an emulator, so that pretty much leaves the web interface to Performance Toolkit. Is there any way I control that interface. How can I get the ip address? IBM used to have, internally, a mod that would double the amount of time between each unsuccessful logon attempt to a particular userid. Something like that would do the job. Are you running an FTP server? I saw an attack on a system using that userid (well, "Administrator") coming in via FTP a few weeks ago. Adam -- Jim Bohnsack Cornell University (972) 596-6377 home/office (972) 342-5823 cell jab...@cornell.edu