Sybase NNTP forums - End Of Life (EOL)

The NNTP forums from Sybase - forums.sybase.com - are now closed.

All new questions should be directed to the appropriate forum at the SAP Community Network (SCN).

Individual products have links to the respective forums on SCN, or you can go to SCN and search for your product in the search box (upper right corner) to find your specific developer center.

blocking a particular IP to connect ASE

6 posts in General Discussion Last posting was on 2009-11-22 17:20:22.0Z
Manoj Posted on 2009-11-21 12:42:34.0Z
Reply-To: "Manoj" <manoj_kumar_kushwaha@yahoo.co.in>
From: "Manoj" <manoj_kumar_kushwaha@yahoo.co.in>
Newsgroups: sybase.public.ase.general
Subject: blocking a particular IP to connect ASE
Lines: 11
Organization: IBM
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.5843
X-RFC2646: Format=Flowed; Original
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
NNTP-Posting-Host: vip152.sybase.com
X-Original-NNTP-Posting-Host: vip152.sybase.com
Message-ID: <4b07e03a$1@forums-1-dub>
Date: 21 Nov 2009 04:42:34 -0800
X-Trace: forums-1-dub 1258807354 10.22.241.152 (21 Nov 2009 04:42:34 -0800)
X-Original-Trace: 21 Nov 2009 04:42:34 -0800, vip152.sybase.com
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.ase.general:28670
Article PK: 77912

Hi,
I would like to block an IP to connect ASE. While this can be done through
login trigger, it does not seems to be foolproof. Whenever password expire,
clients for blocked IP are able to connect and after changing their
password, they are able to work normally.
Any other solution which can be implemented within ASE ?

regards
Manoj


Michael Peppler [Team Sybase] Posted on 2009-11-22 16:04:13.0Z
From: "Michael Peppler [Team Sybase]" <mpeppler@peppler.org>
Organization: Peppler Consulting SARL
Subject: Re: blocking a particular IP to connect ASE
User-Agent: Pan/0.14.2 (This is not a psychotic episode. It's a cleansing moment of clarity.)
Message-ID: <pan.2009.11.22.16.04.13.197860@peppler.org>
Newsgroups: sybase.public.ase.general
References: <4b07e03a$1@forums-1-dub>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
NNTP-Posting-Host: vip152.sybase.com
X-Original-NNTP-Posting-Host: vip152.sybase.com
Date: 22 Nov 2009 08:04:13 -0800
X-Trace: forums-1-dub 1258905853 10.22.241.152 (22 Nov 2009 08:04:13 -0800)
X-Original-Trace: 22 Nov 2009 08:04:13 -0800, vip152.sybase.com
Lines: 15
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.ase.general:28673
Article PK: 77915


On Sat, 21 Nov 2009 04:42:34 -0800, Manoj wrote:

> Hi,
> I would like to block an IP to connect ASE. While this can be done through
> login trigger, it does not seems to be foolproof. Whenever password expire,
> clients for blocked IP are able to connect and after changing their
> password, they are able to work normally.
> Any other solution which can be implemented within ASE ?

I don't know of any other technique within ASE. Maybe you can fix the
password expiration issue with an ad-hoc version of sp_password which
forces a reconnect, or checks the IP address as well?

Michael


"Mark A. Parsons" <iron_horse Posted on 2009-11-22 16:36:10.0Z
From: "Mark A. Parsons" <iron_horse@no_spamola.compuserve.com>
User-Agent: Thunderbird 1.5.0.10 (Windows/20070221)
MIME-Version: 1.0
Newsgroups: sybase.public.ase.general
Subject: Re: blocking a particular IP to connect ASE
References: <4b07e03a$1@forums-1-dub>
In-Reply-To: <4b07e03a$1@forums-1-dub>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Antivirus: avast! (VPS 091120-0, 11/20/2009), Outbound message
X-Antivirus-Status: Clean
NNTP-Posting-Host: vip152.sybase.com
X-Original-NNTP-Posting-Host: vip152.sybase.com
Message-ID: <4b09687a$1@forums-1-dub>
Date: 22 Nov 2009 08:36:10 -0800
X-Trace: forums-1-dub 1258907770 10.22.241.152 (22 Nov 2009 08:36:10 -0800)
X-Original-Trace: 22 Nov 2009 08:36:10 -0800, vip152.sybase.com
Lines: 30
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.ase.general:28675
Article PK: 77917

FWIW, starting with ASE 12.5.4 the DBA can setup additional password processing by creating a stored proc in the master
database called 'sp_extrapwdchecks'.

The following manuals have a sample proc ...

ASE 12.5.4 New Features Guide
ASE 15.0.2 System Admin Guide (Vol 1)

... unfortunately, both have some typos. You can run a search on case # 11503841 @ sybase.com to see the typo corrections.

------------------

Just curious ...

If a user attempts to login from a bad IP, is that same user allowed to successfully login from a different/good IP?

Manoj wrote:
> Hi,
> I would like to block an IP to connect ASE. While this can be done through
> login trigger, it does not seems to be foolproof. Whenever password expire,
> clients for blocked IP are able to connect and after changing their
> password, they are able to work normally.
> Any other solution which can be implemented within ASE ?
>
> regards
> Manoj
>
>


Manoj Posted on 2009-11-22 17:12:08.0Z
Reply-To: "Manoj" <manoj_kumar_kushwaha@yahoo.co.in>
From: "Manoj" <manoj_kumar_kushwaha@yahoo.co.in>
Newsgroups: sybase.public.ase.general
References: <4b07e03a$1@forums-1-dub> <4b09687a$1@forums-1-dub>
Subject: Re: blocking a particular IP to connect ASE
Lines: 48
Organization: IBM
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.5843
X-RFC2646: Format=Flowed; Response
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
NNTP-Posting-Host: vip152.sybase.com
X-Original-NNTP-Posting-Host: vip152.sybase.com
Message-ID: <4b0970e8@forums-1-dub>
Date: 22 Nov 2009 09:12:08 -0800
X-Trace: forums-1-dub 1258909928 10.22.241.152 (22 Nov 2009 09:12:08 -0800)
X-Original-Trace: 22 Nov 2009 09:12:08 -0800, vip152.sybase.com
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.ase.general:28677
Article PK: 77919


"Mark A. Parsons" <iron_horse@no_spamola.compuserve.com> wrote in message
news:4b09687a$1@forums-1-dub...
> FWIW, starting with ASE 12.5.4 the DBA can setup additional password
> processing by creating a stored proc in the master database called
> 'sp_extrapwdchecks'.
>
> The following manuals have a sample proc ...
>
> ASE 12.5.4 New Features Guide
> ASE 15.0.2 System Admin Guide (Vol 1)
>
> ... unfortunately, both have some typos. You can run a search on case #
> 11503841 @ sybase.com to see the typo corrections.
>
> ------------------
>
> Just curious ...
>
> If a user attempts to login from a bad IP, is that same user allowed to
> successfully login from a different/good IP?

We are trying to block IP & not any particular user. Though it can be done
at OS level or by modifying sp_password as suggested by Michael, I don't
want to use these options.
regards
Manoj Kumar

PMP®,ITIL®
ASE-12.0/12.5/15 certified professional
REP 12.5/15.0 certified professional
ASE 12.5 certified developer


>
>
>
> Manoj wrote:
>> Hi,
>> I would like to block an IP to connect ASE. While this can be done
>> through login trigger, it does not seems to be foolproof. Whenever
>> password expire, clients for blocked IP are able to connect and after
>> changing their password, they are able to work normally.
>> Any other solution which can be implemented within ASE ?
>>
>> regards
>> Manoj


Manoj Posted on 2009-11-22 17:07:53.0Z
Reply-To: "Manoj" <manoj_kumar_kushwaha@yahoo.co.in>
From: "Manoj" <manoj_kumar_kushwaha@yahoo.co.in>
Newsgroups: sybase.public.ase.general
References: <4b07e03a$1@forums-1-dub> <4b09687a$1@forums-1-dub>
Subject: Re: blocking a particular IP to connect ASE
Lines: 46
Organization: IBM
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.5843
X-RFC2646: Format=Flowed; Response
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
NNTP-Posting-Host: vip152.sybase.com
X-Original-NNTP-Posting-Host: vip152.sybase.com
Message-ID: <4b096fe9@forums-1-dub>
Date: 22 Nov 2009 09:07:53 -0800
X-Trace: forums-1-dub 1258909673 10.22.241.152 (22 Nov 2009 09:07:53 -0800)
X-Original-Trace: 22 Nov 2009 09:07:53 -0800, vip152.sybase.com
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.ase.general:28676
Article PK: 77920

Thanks Marks,
This sounds good and I will try it.

regards
Manoj Kumar

PMP®,ITIL®
ASE-12.0/12.5/15 certified professional
REP 12.5/15.0 certified professional
ASE 12.5 certified developer

"Mark A. Parsons" <iron_horse@no_spamola.compuserve.com> wrote in message
news:4b09687a$1@forums-1-dub...
> FWIW, starting with ASE 12.5.4 the DBA can setup additional password
> processing by creating a stored proc in the master database called
> 'sp_extrapwdchecks'.
>
> The following manuals have a sample proc ...
>
> ASE 12.5.4 New Features Guide
> ASE 15.0.2 System Admin Guide (Vol 1)
>
> ... unfortunately, both have some typos. You can run a search on case #
> 11503841 @ sybase.com to see the typo corrections.
>
> ------------------
>
> Just curious ...
>
> If a user attempts to login from a bad IP, is that same user allowed to
> successfully login from a different/good IP?
>
>
>
> Manoj wrote:
>> Hi,
>> I would like to block an IP to connect ASE. While this can be done
>> through login trigger, it does not seems to be foolproof. Whenever
>> password expire, clients for blocked IP are able to connect and after
>> changing their password, they are able to work normally.
>> Any other solution which can be implemented within ASE ?
>>
>> regards
>> Manoj


Carl Kayser Posted on 2009-11-22 17:20:22.0Z
From: "Carl Kayser" <kayser_c@bls.gov>
Newsgroups: sybase.public.ase.general
References: <4b07e03a$1@forums-1-dub>
Subject: Re: blocking a particular IP to connect ASE
Lines: 24
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.3598
X-RFC2646: Format=Flowed; Response
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
NNTP-Posting-Host: vip152.sybase.com
X-Original-NNTP-Posting-Host: vip152.sybase.com
Message-ID: <4b0972d6$1@forums-1-dub>
Date: 22 Nov 2009 09:20:22 -0800
X-Trace: forums-1-dub 1258910422 10.22.241.152 (22 Nov 2009 09:20:22 -0800)
X-Original-Trace: 22 Nov 2009 09:20:22 -0800, vip152.sybase.com
X-Authenticated-User: ase1251
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.ase.general:28678
Article PK: 77918


"Manoj" <manoj_kumar_kushwaha@yahoo.co.in> wrote in message
news:4b07e03a$1@forums-1-dub...
> Hi,
> I would like to block an IP to connect ASE. While this can be done through
> login trigger, it does not seems to be foolproof. Whenever password
> expire, clients for blocked IP are able to connect and after changing
> their password, they are able to work normally.
> Any other solution which can be implemented within ASE ?
>
> regards
> Manoj
>

I've never had to use login triggers but I find the above to be confusing.

Apparently one can use a login trigger to prevent particular clients (i.e.,
an IP address) from accessing a server (presumably via checking @@spid
against sysprocesses.ipaddr).

But when a login (or SSO) changes their password ... voila! ... the login
can access the server from the "bad client IP"? This makes no sense to me.