Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

AS/400 Security

144 views
Skip to first unread message

Seve

unread,
Jun 26, 1998, 3:00:00 AM6/26/98
to

I've been given a project to capture invalid sign-on attempts and produce a
report of where the sign-on attempt was made and the user profile used.

Normally I would normally use the security audit journal, however, we are
using TN5250 to connect to an AS/400 running V3R7M0 and we can't tie a
device description (QPADEVxxx) to an IP address. The journal doesn't
capture IP Addresses, which means I can't track down the PC where the
voilation occured, only the QPADEVxx device, which could have been picked
up any where in the country.

I know the API I need to use to retreive the IP address, but there is no
point in adding a routing entry to the subsystem as the routing step only
occurs once the user has successfully signed-on. I need to capture any
invalid attempt and where it occured.

Has anyone got any ideas?

Thanks

Steve

Greg Leister

unread,
Jun 26, 1998, 3:00:00 AM6/26/98
to

There should be an exit program you can write. If you do a wrkreginf it
will show you exit points and allow you to apply exit programs. I beleive
your version has an exit point for telnet if that is what your tn5250
application is using. QIBM_QZSO_SIGNONSRV is the exit point for tcp signon
to the server. You application may use it or may not. client access does
for it's 5250 application.


Seve <fr...@x.com> wrote in article <6mvom6$n8d$1...@flex.london.pipex.net>...

Ed Bowen

unread,
Jun 26, 1998, 3:00:00 AM6/26/98
to

You can do a DSPUSRPRF *ALL *BASIC into an outfile and one of the pieces
of info will be number of invalid sign on attemps. Might be a place to
start


Greg Leister <glei...@ptd.net> wrote in article
<01bda0ef$e92fe520$4d00...@gleister.ptdprolog.net>...

Guillermo

unread,
Jun 26, 1998, 3:00:00 AM6/26/98
to

Steve:

Why don't you try the "named-devices" of TN5250? Pls take into the account
that you won't be 100% sure if the invalid attempt came from the intented IP
( someone could have changed the ws profile ). Pls do a search on previous
posting that describes the how-to ( originally it was intented to run on
V4R2 but I think that there are PTF's for V4R1 )

hth

Guillermo


Patrick Townsend

unread,
Jun 26, 1998, 3:00:00 AM6/26/98
to Seve

Steve,

Our Telnet security product will keep an audit log of access attempts.
It captures the IP address and other information. You can get more
information on our web site:

http://www.patownsend.com

Hope this helps!
Patrick

Seve wrote:
>
> I've been given a project to capture invalid sign-on attempts and produce a
> report of where the sign-on attempt was made and the user profile used.
>
> Normally I would normally use the security audit journal, however, we are
> using TN5250 to connect to an AS/400 running V3R7M0 and we can't tie a
> device description (QPADEVxxx) to an IP address. The journal doesn't
> capture IP Addresses, which means I can't track down the PC where the
> voilation occured, only the QPADEVxx device, which could have been picked
> up any where in the country.
>
> I know the API I need to use to retreive the IP address, but there is no
> point in adding a routing entry to the subsystem as the routing step only
> occurs once the user has successfully signed-on. I need to capture any
> invalid attempt and where it occured.
>
> Has anyone got any ideas?
>
> Thanks
>
> Steve

--

Patrick Townsend mailto:town...@patownsend.com
Patrick Townsend & Associates, Inc. http://www.patownsend.com

Paul Culin

unread,
Jun 27, 1998, 3:00:00 AM6/27/98
to

We track all access and invalid sign-on attempts with a package from
PentaSafe. It has the reporting you're looking for. I think you can still
get a demo from their website.

Paul
Seve wrote in message <6mvom6$n8d$1...@flex.london.pipex.net>...

Richard Knechtel

unread,
Jun 29, 1998, 3:00:00 AM6/29/98
to

Seve wrote:
>
> I've been given a project to capture invalid sign-on attempts and >produce a report of where the sign-on attempt was made and the user >profile used.
>
> Normally I would normally use the security audit journal, however, we >are using TN5250 to connect to an AS/400 running V3R7M0 and we can't tie >a device description (QPADEVxxx) to an IP address. The journal doesn't
> capture IP Addresses, which means I can't track down the PC where the
> voilation occured, only the QPADEVxx device, which could have been >picked up any where in the country.
>
> I know the API I need to use to retreive the IP address, but there is >no point in adding a routing entry to the subsystem as the routing step >only occurs once the user has successfully signed-on. I need to capture >any invalid attempt and where it occured.
>
> Has anyone got any ideas?
>
> Thanks
>
> Steve

Well I looked at a prodcut called Patrol/400 it does TONS of reports and
yo can define your own as well. The people showed me how to set it up to
monitor pasthrough's as well. (since we have people passing through our
system using STRPASTHR alot).

They are at:
http://www.bancaudit.com

--

Richard Knechtel
richard .dot knechtel @at eds .dot com
EDS
(Systems Engineer/System Administrator)
(Aspiring AS/400 GURU)
(Aspiring Linux GURU)
(Aspiring Visual Basic Programmer)

The contents of this message express only MY opinion.
This message does not necessarily reflect the policy or views of
my employer, EDS. All responsibility for the statements
made in this posting resides solely and completely with the
ME.
I Ex-Spaminate spammers!
See US Code Title 47, Sec.227(a)(2)(B), Sec.227(b)(1)(C)
and Sec.227(b)(3)(C).

Ed Bowen

unread,
Jun 29, 1998, 3:00:00 AM6/29/98
to

You can do a DSPUSRPRF *ALL *BASIC into an outfile and one of the pieces
of info will be number of invalid sign on attemps. Might be a place to
start

Richard Knechtel <richard....@eds.com> wrote in article
<3597AE...@eds.com>...

John Earl

unread,
Jun 30, 1998, 3:00:00 AM6/30/98
to

On Sat, 27 Jun 1998 01:45:25 -0500, "Paul Culin"
<pcu...@email.msn.com> wrote:

>We track all access and invalid sign-on attempts with a package from
>PentaSafe. It has the reporting you're looking for. I think you can still
>get a demo from their website.
>
>Paul


Golly Paul, don't you still work for PentaSafe ? I would hope you
use your own product for tracking.

jte

>Seve wrote in message <6mvom6$n8d$1...@flex.london.pipex.net>...

>>I've been given a project to capture invalid sign-on attempts and produce a
>>report of where the sign-on attempt was made and the user profile used.
>>
>>Normally I would normally use the security audit journal, however, we are
>>using TN5250 to connect to an AS/400 running V3R7M0 and we can't tie a
>>device description (QPADEVxxx) to an IP address. The journal doesn't
>>capture IP Addresses, which means I can't track down the PC where the
>>voilation occured, only the QPADEVxx device, which could have been picked
>>up any where in the country.
>>
>>I know the API I need to use to retreive the IP address, but there is no
>>point in adding a routing entry to the subsystem as the routing step only
>>occurs once the user has successfully signed-on. I need to capture any
>>invalid attempt and where it occured.
>>
>>Has anyone got any ideas?
>>
>>Thanks
>>
>>Steve
>>
>>
>
>

John Earl The 400 School
253-858-7388 Gig Harbor, WA USA
www.lns400.com johne_at_400school_dot_com

0 new messages