VMS - Logging and Restriction

Under VMS , Multinet may be configured to log and restrict access to certain services.

To configure logging in Multinet, execute

$ multinet config/server
Logging for each service is enabled separately; services may share a common logfile or have individual ones. Logging of rejected attempts and successful attempts may be enabled separately. Service may be restricted by subnet or by host. A typical editing session is as follows:
$ multinet config/server
SERVER-CONFIG>  select netstat
set log-file multinet:netstat.log
set log-rejects true
SET REJECT-BY-DEFAULT true
set REJECT-MESSAGE "You are not authorized to do this."
SET ACCEPT-NETS
142.90.0.0

select systat
set log-file multinet:netstat.log
set log-rejects true
SET REJECT-BY-DEFAULT true
set REJECT-MESSAGE "You are not authorized to do this."
SET ACCEPT-NETS
142.90.0.0

select telnet
set log-file multinet:telnet.log
set log-rejects true
set log-accepts true

disable chargen

select  RPCPORTMAP
SET REJECT-BY-DEFAULT true
set log-file multinet:rpc.log
SET ACCEPT-NETS
142.90.0.0
127.0.0.1


show/full netstat
restart
exit

NETSTAT, SYSTAT and FINGER give out system information and lists of other machines.
CHARGEN is a character generator and generates a continuous stream of data. There have been reports of people using it to set up web pages which will crash browsing machines.
RSHELL, REXEC, RLOGIN allow remote login, potentially without a password, and remote execution of programs.
RPC* services allow remote procedure calls, and are used by NFS mount and many data acquisition and controls programs. One might consider restricting these to authorized subnets. 127.0.0.1 (localhost) seems to be required by e.g. the CAMP server.
SMTP is an Internet mail server. These have been used to relay junk mail
POP* are mail retrieval servers for PCs
PCNFSD is an NFS-like server for PCs
NNTP is Usenet News

See also

Up to Security Page

A.Daviel