https://wiki.vmssoftware.com/index.php?action=history&feed=atom&title=Intrusion_databaseIntrusion database - Revision history2026-04-30T16:33:28ZRevision history for this page on the wikiMediaWiki 1.43.3https://wiki.vmssoftware.com/index.php?title=Intrusion_database&diff=179&oldid=prevDarya.zelenina: Created page with "The '''intrusion database''' is a database of login failures kept by the Security Server process. =Severity classes= After one failed login attempt, the user becomes a "..."2019-01-18T13:26:25Z<p>Created page with "The '''intrusion database''' is a database of login failures kept by the <a href="/index.php?title=Security_Server&action=edit&redlink=1" class="new" title="Security Server (page does not exist)">Security Server</a> process. =Severity classes= After one failed login attempt, the user becomes a "..."</p>
<p><b>New page</b></p><div>The '''intrusion database''' is a database of login failures kept by the [[Security Server]] process.<br />
<br />
=Severity classes=<br />
<br />
After one failed login attempt, the user becomes a "Suspect": the system begins to monitor the terminal, terminal server connection, or network connection where the login is taking place (whether failures from terminal class logins are counted by terminal is controlled by [[System parameter|LGI_BRK_TERM]]). As failures continue, the operating system not only records failures but takes restrictive measures. The person attempting login is monitored more closely and limited to a certain number of login retries within a limited period of time. Once a person exceeds either the retry or time limitation, he or she cannot log in for a while, even with a valid user name and password.<br />
At a later point, the restriction eases, and login is allowed once again.<br />
<br />
==Suspect==<br />
The suspect status is given to the user, terminal, terminal server connection, or network connection after one incorrect login attempt. It is maintained for [[System parameter|LGI_BRK_TMO]] (five minutes by default). If during that time another login attempt is failed, the monitoring period is increased by the value of [[System parameter|LGI_BRK_TMO]]. If during the monitoring period the maximum number of attempts [[System parameter|LGI_BRK_LIM]] (five by default) is exceeded, the status is changed to "Intruder".<br />
<br />
==Intruder==<br />
The user, terminal, terminal server connection, or network connection with the Intruder status is denied login during a time period equal to the value of [[System parameter|LGI_HID_TIM]] (five minutes by default) multiplied by a random value between 1 and 1.5. If [[System parameter|LGI_BRK_DISUSER]] is set to 1, the DISUSER flag is set on the account so all subsequent login attempts are prevented.<br />
<br />
=Managing the Intrusion Database=<br />
You can view the intrusion database with the SHOW INTRUSION command. This requires Security privilege.<br />
You can delete intrusion records with DELETE/INTRUSION_RECORD. <br />
<br />
=See also=<br />
* [https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c04623140| OpenVMS Guide to System Security]<br />
* [[LGI parameters]]</div>Darya.zelenina