Unwanted Visitor/400 -- MIDRANGE-L

None of our unwanted visitors have managed to sign onto our AS/400. They show up intermittently, do a bunch of guesses, sometimes get the default workstation id they using disabled for excess password guesses. I theorize that what's going on is one of 3 possibilities:
* A legitimate user has got a flakey connection such that their user-id & password is one of the things lost in the connection effort.
* Some other company has a computer system down the IP street from us & we are getting wrong # calls by legitimate users for THEIR computer system, which would explain why certain wrong user-ids show up so often. Other OS may have different rules for user-ids that support stuff that is invalid for 400.
* There are an infinite # of would-be hackers out there, and every so often it is our turn for some of them to be knocking on our door, failing to get in, going off and trying some place else.

This has been going on for years. Until recently, management could not believe my statements that hackers were trying to sign on our 400, but now there is interest in us capturing more info on incidents to try to back track how these people are getting to our system.

Our AS/400 is not connected directly to the Internet. There's a Microsoft Server, with its firewall, between AS/400 and out there. Our guy who manages that is a true professional, who also uses excellent tech support. The Microsoft Server is simulating various controllers for the many ways people can connect to the 400, including twinax, PCs, VPN.

In GO CMDSCDE I have got DSPAUDJRNE set to run ENTTYP(PW) recent dates list daily, to an OUTQ which I check, then notify people if we have had another unwanted visitor trying to sign on.

I have got two questions about our evidence, but first to answer any of your questions why we have ancient V5R1 on model 170 is because we are on BPCS and not want to pay extortionist SSA/Infor fees to move to modern replacement hardware.

Question-1 Shouldn't 400 pull plug on intruder when they exceed number of password guesses allowed for QPADEV0003 (intruder got 3 times as many guesses as the limit) trying to sign on with invalid user name "="? At the time, other QPADEV* were varied off, and our system values & other workstation collection such that there wasn't room to add QPADEV0004. I know I need to clean up some dead work stations soon. I am somewhat disturbed by this. I had thought we were protected by ceiling on # of work stations, and ceiling on password guesses.

Previous unwanted visitors have used user names that are valid for an AS/400, but not setup on our AS/400, such as "Q3333333@". User id starts wtith letter of alphabet then can be anything, so user "=" could have tried infinte attempts but never got on, because that is not a valid user-id on any 400, is my understanding.

Question 2: Is there any way to capture information on unwanted visitors, like what IP address they used to get to our AS/400?

Years ago our system log activity was obstructionist to disk space & performance, so I stopped as much as I could, then forgot details of that area. Now I want to restart only that which can capture info on our unwanted visitors. For example, DSPLOG is not telling me IP address of visitor. I have done some tests with a nnon-existent user-id coming in various different ways to see what shows up in the log & there's nothing useful, telling me anything that could be used to back track any unwanted visitor. I use ALFAKE so that if anyone else sees something odd, they know it is my testing.
-
Al Macintyre