Subject: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
To: Water NB <netbsd78@126.com>
From: Chavdar Ivanov <ci4ic4@gmail.com>
List: netbsd-users
Date: 01/12/2007 11:34:33
On 1/12/07, Water NB <netbsd78@126.com> wrote:
> In the recent days, a cracker always attack my host.
> The cracker's IP is from Japan, Croatia and some coutries.
> But I guess it is the same cracker and remote-conrolled those hosts.
> Because he always did the same works:
> 1) try to ssh account one by one: root, postfix, ... cyrus.
> 2) at last, login successfully via account cyrus.
> 3) install a program psyBNC 2.3.1 under /tmp and run it.

I was hit once on an old Solaris 2.6x86 box, which I meant to replace
for more than a year and didn't bother to secure it properly...
Luckily I noticed this within a few days and was able quickly to find
some new hardware and move that server functions to another system (in
this case FreeBSD 6.0).

> 4) sometimes he changes the password of cyrus.

If you ask me, once he is been there, the box is compromised. You have
to search for rootkits etc. I wouldn't bother, if I were you; I would
start from scratch.

>
> Question 1) Is it a bug of sshd?

Not likely - but see below.

> Yesterday, I change the password of cyrus to 16 characters which contain
> digit, symbol and  capital/lowercase letter, So I think it is more
> secure.
> But this morning I found the cracker still logined the system after only
> two tries.

Key logger? I don't know if such a thing exists for NetBSD, but
wouldn't be surprised.

> It is impossible to try 2 times to get the correct password.
> So I guess that he used the bug of sshd.
> What bug? I don't know.
>
> Question 2) why /etc/passwd:cyrus has Shell: /bin/sh?
> I think /sbin/nologin is enough.
> In fact, when I change it to /sbin/nologin, the cracker stop cracking
> because he has to logout once he login.

I don't know, I run courier.

>
> Question 3) How to setup a secret system?

Well, that's the 64000$ one...

> I am so worried with the fixed-IP-host in public network.
>

> Question 4) How to log what passwords the cracker used in ssh session?
> Or I need modify sshd source?
>
> Question 5) empty password means needn't password?
> Or means any passwords are invalid?
>
> My system:
> # uname -a
> NetBSD serv01 3.1_STABLE NetBSD 3.1_STABLE (386nb3) #3: Sat Dec 30
> 11:50:47 CST
> 2006  water@serv01:/usr/world/386o3/sys/arch/i386/compile/386nb3 i386
>
> # ssh -v
> OpenSSH_3.9 NetBSD_Secure_Shell-20061016, OpenSSL 0.9.7d 17 Mar 2004
>
> Running: apache2, postfix-2.3.5 (from pkgsrc), dovecot, mysqld, sshd,
> named
> Installed: cyrus-sasl-2.1.22, php5.2.0
>
> Authlog:
>
...
> Jan 12 00:07:04 mail sshd[19307]: Accepted password for cyrus from
> AAA.BBB.CCC.DDD port 57622 ssh2
> (!!!!!)
>

Configure sshd with something like:

....
# Authentication:

LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 6

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# Change to yes to enable built-in password authentication.
PasswordAuthentication no
PermitEmptyPasswords no

# Change to no to disable PAM authentication
ChallengeResponseAuthentication no
....

and setup passwordless ssh logins from the hosts you are likely to use
to login to that server; google for passwordless ssh login (i.e.
http://www.securitydocs.com/library/3385 )

Chavdar