× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. SECURITY400
  3. May 2007

Re: Finding IP address of Failed Login Attempt

I also see a few PW audit records without any value for the Remote
Address
field. Perhaps some of these other fields will help you determine what
is
going on. The complete list of violation types can be found in Appendix
F
of the Security Reference manual.
Apparently nothing that hits port 636 has any details recorded. Why
anything would be hitting the LDAP server, which isn't even running, is
beyond me. I now have two two users showing up every two seconds for
failed signon attempts--while their 5250 sessions are up, running and
logged in! Neither of the two is configured to use Kerberos in Ops
Navigator or the 5250 session.

Seq Field Text
10 PWTSTP Timestamp of entry
Yep, I can see the entries every two seconds.

20 PWRADR Remote address
Completely blank whenever the remote port is 636.

30 PWTYPE P-Pwd, U-User name, A-APPC, D-DST user, E-
Two Ps, followed by thousands of Qs, that all makes sense.

40 PWJOB Name of job
QTVDEVICE, but its joblog has no further info.....

50 PWUSER Name of user
QTCP, no help there......

60 PWNBR Number of job
Used with PWJOB above to look at a non-useful joblog...

70 PWPGM Name of program
QCMD, no help there....

80 PWUSPF User profile
QTCP, no help there....

90 PWRPORT Remote port
All to port 636.....

100 PWDEVN Device name
Completely blank for port 636 entries.....

I've gone field by field through the entire output of CPYAUDJRNE and
nothing helps for the entires where the port=636. Everything is either
blank or leads to a job log with no details. I guess we'll move the box
with ETHEREAL to the switch with the iSeries. Traffic on port 636 should
stand out like a sore thumb.


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.