Rich,
Have you looked at the host server, telnet, ftp and rexec exit points? The
Telnet initialization exit point will only provide attempts when a user
first connects. So, if the attempts are from a green screen you will have to
look for PW entries in QAUDJRN. QJORDJE5 record format (*TYPE5) will
provide the remote address associated with the journal entry. The Telnet
termination exit point will only fire when the connection is ended.
See
http://publib.boulder.ibm.com/infocenter/systems/scope/i5os/topic/rzaiq/rzai
qreferenceexit.htm?tocNode=int_103991
for the TCP/IP entry parameter layouts.
See
http://publib.boulder.ibm.com/infocenter/systems/scope/i5os/topic/rzaii/rzai
imst35.htm?tocNode=int_112294
for the Host server entry parameters.
-----Original Message-----
date: Tue, 25 Nov 2008 12:02:13 -0500
from: Rich Herdman <rherdman@xxxxxxxxx>
subject: trapping source of invalid login attempts
Does any information like source IP, etc get logged in the system
security journals when a user attempts a login and fails? We have one
of our user profiles that is getting disabled every morning on one of
our partitions and we are having trouble tracking down who/what/where
these attempts are coming from.
All of our iSeries are behind our firewall and the account in question
has been used for program-to-program automation for many years
(interactive use is disabled), so we assume there is an older version of
a program out there trying to connect with an old password (which are
changed regularly).
Any suggestions?
Rich Herdman
Sysco
midrange.com
