by steve-myers » Sat 08 Jun 2013, 16:42
Going back to May 14 I see LOGON attempts with a bad password. Lots of them. This is quite common with new users, so that's not usually an issue.
Then it appears you switched over to CICS and kept on trying. The admins regard CICS as a soft underbelly in security since it doesn't seem to drop a terminal if there are too many LOGON attempts. There has been some indication of "bots" trying to break in through CICS, at least to get a valid userid/password. Switching between TSO and CICS like that is unusual. Perhaps that's why the admins banned the ID; they thought it was a successful attempt to "brute force" the userid/password.
Then you went back to TSO and got a
IKJ606I TSOLOGON REJECTED. USERID DGRMF16 IN USE
though I didn't see a successful LOGON. I next see a successful TSO cancel from the web interface, though I don't see a matching ABEND message. Next I see a TSO session from 22:58:32 to 23:08:44 immediately followed by a TSO session from 23:08:51 to 23:09:13. There is nothing in SYSLOG to indicate any issues.
Then, May 18 we go back to password violations followed by on-off, on-off, more password violations, on-off, on-off. It appears the ID was banned at that point, though not deleted yet. Later in the day I see an on-off sequence. May 20 I see another on-off sequence, and nothing since then.
As far as I can tell, DGRMF16 is no longer banned. You are correct, though. Usually, once banned, forever banned. Just today it appears an attempt to get new IDs from a previously banned user were blocked.
As Prino says, the admins bann an ID first, but it is usually left so it can be revived if it turns out they goofed. From time to time "banned" IDs are deleted as happened June 3.