On Jul 8, 2009, at 11:15 AM, David Boyes wrote:
Simple answer: put a Linux guest in front of the VM TCP stack with
the old address as the external address, renumber the VM stack to a
RFC1918 address on an internal guest lan, and enable IP Masquerade
in iptables. That gets you all sorts of useful info, and lets you
shut them down cold. Add one of the IDS toolkits, and you can
clobber the twerps network wide.
-----Original Message-----
From: The IBM z/VM Operating System
[mailto:[email protected]] On
Behalf Of Jim Bohnsack
Sent: Wednesday, July 08, 2009 11:02 AM
To: [email protected]
Subject: PERFSVM question
We saw a bunch of logon attempts a night ago to userid ADMINIST
which I
do not have defined in the directory. There were about 2,500 over
the
course of 2 hours. They were apparently not coming in thru an
emulator,
so that pretty much leaves the web interface to Performance Toolkit.
Is
there any way I control that interface. How can I get the ip
address?
IBM used to have, internally, a mod that would double the amount of
time
between each unsuccessful logon attempt to a particular userid.
Something like that would do the job.
Are you running an FTP server?
I saw an attack on a system using that userid (well, "Administrator")
coming in via FTP a few weeks ago.
Adam
