Subject: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
To: Andy Ruhl <acruhl@gmail.com>
From: haad <haaaad@gmail.com>
List: netbsd-users
Date: 01/12/2007 23:30:11
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andy Ruhl wrote:
> On 1/12/07, Water NB <netbsd78@126.com> wrote:
>> In the recent days, a cracker always attack my host.
>> The cracker's IP is from Japan, Croatia and some coutries.
>> But I guess it is the same cracker and remote-conrolled those hosts.
>> Because he always did the same works:
>> 1) try to ssh account one by one: root, postfix, ... cyrus.
>> 2) at last, login successfully via account cyrus.
>> 3) install a program psyBNC 2.3.1 under /tmp and run it.
my mount looks like this
/tmp nosuid,noexec,nodev
/var noexec,nosuid,nodev
/usr nodev
/home nodev,nosuid,(noexec?)
I should do it in similar way.

Also If you want secure server you should try veriexec(4).
>> 4) sometimes he changes the password of cyrus.
>>
>> Question 1) Is it a bug of sshd?

I think no.
> Probably not. I'm one of the ones who likes to believe that any bugs
> in ssh will be quickly known and public. Maybe that's too optimistic.
> 
>> Question 2) why /etc/passwd:cyrus has Shell: /bin/sh?
>> I think /sbin/nologin is enough.
>> In fact, when I change it to /sbin/nologin, the cracker stop cracking
>> because he has to logout once he login.

If cyrus account has disabled password ,there is no way how to login with it
(shell doesn't matter).
I think that attacker can break to your system thought cyrus and got shell.After
successful attack he changed cyrus account shell to bin/sh? Is this attack
possible ?

> Seems like a good idea to mee.
> 
> I had the ssh phishers too, and this is a good way to keep them away
> from you and working on someone else:
> 
> 1. Change your ssh port to something else
IMHO this is typical security by obscurity mistake.
Try to secure and well configure your system and do not change ports
this doesn't stop attacker.
In my servers  I use this in sshd_config:

foo bar => system users
foobar  => system group

AllowUsers foo bar
AllowGroups foobar

PermitRootLogin no
MaxAuthTries 3

PermitEmptyPasswords no

Other options you can see in sshd_config(5)

> 2. Set pf to block with a drop policy, so the scanners and hackers
> have to wait if they do try (which means they will likely go play
> somewhere else in short order).

Standard server must have good firewall and IMO pf is best for this job firewall.

> 3. Figure out a way to log attempts to connect to port 22 and then
> block those IPs (it's on my list of things to do, I just haven't
> figured out how I'm going to do it yet. I think someone else posted a
> link)

I don't use it and for now nobody hack to the one of my servers.

> 
> I'm surprised that a few people think you should start over. I would
> seriously hope that a compromised user account wouldn't immediately
> prompt paranoia that the box was rooted. I understand that this is a
> thought process that needs to take place, but I would hope that NetBSD
> is more hardy than that.
> 

If somebody compromise your system account, you should reinstall it.


> I always keep my install sets somewhere else so I can do a checksum
> against some important programs to see if it's been hacked.
> 
> I don't claim to be Mr. Security, so you'll probably want to look for
> advice from others who have been around a while.
> 
> Andy
> 




That's my two cents.

Regards
- ---------------------------------------------------------------
Adam Hamsik
ICQ 249727910
jabber haad@jabber.org
- ---------------------------------------------------------------
There are 10 kinds of people in the world. Those who understand
binary numbers, and those who don't.
				
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (NetBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFqAvy9Wt2FT7y228RAoJ8AJ4hsrac0z+UUQFTClE2RlnQbouqowCggdG9
iBSUg7B3q5qnzRVR2EJ2CPI=
=nX3Y
-----END PGP SIGNATURE-----