|
If you create QSYSMSGit gets copies of messages that IBM considers to be serious (there's a list of what all in the WORK manual) which includes work station addresses varied off for security reasons ... we had one last week varied off automatically because someone tried to hack in using TELNET. What's interesting to me is that it apparently came in over a phone line that we lease the bandwidth from ma bell ... we should be the only people using that bandwidth. In other words, they had to hack ma bell (or be an insider) before getting to us.
There's a way to have some program monitor messages going into QSYSOPR QSYSMSG and other places, and if it is a real serious message, like security violation, send copy of that message some place else.
I have got DSPMSG QSYSMSG sitting on a menu of stuff I check regularly, along with WRKPRB, check on communication lines, and other fragile things. There's also QCFGMSGQ getting copies of all the messages about hardware connection hassles, and printer "error" messages.
Also check on what happens when someone forgets their password or tries to break in ... our settings are to disable the address they were trying to use. Also check how many devices can be added before you hit ceiling. There's a system value on this. Basically if someone tries to break in, and you have auto config on, it will create an address for the hacker, hit the ceiling on password tries, then create another address to use, until hitting the ceiling on how many additional addresses allowed, which could be a LOT.
Al Mac
I'm not sure, but the messages might show up in the history log. Most things that go to QSYSOPR end up in the log. You'd need to find out which message IDs to look for - if you don't know, you could DSPMSGD *ALL of QCPFMSG to *PRINT and then scan through it for the word "varied" or "vary". HTH Vern you wrote: >Browsing through the archives, I even found a post I sent that said a >device varied off by invalid signon would not automatically vary back on >when a PC5250 telnet session tried to use it. > >I'm trying to find the devices that are varied off due to inactivity vs >those varied off by users. Is there a flag somewhere that we can get to? > >The plan is to delete varied off devices (another archive post covers >this method as well) but I do not want to delete a device that was >varied off by a user. The theory is that someone tried to hack in on >that device, so it should remain intact and varied off. > >We just want to clean up the mess in an automated fashion without >increasing our security risk. We're up to about 2000 users in 148 >locations, so the days of "just trust them" are long gone. > >Thanks, all. >-- >Sean Porterfield >-- >Before posting, please take a moment to review the archives >at http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
