Subject: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
To: None <pkgsrc-users@NetBSD.org>
From: Steve Brown <email@example.com>
Date: 01/13/2007 19:11:56
I spotted this going on with my system very early on, being a keen
observer of my logs.
To remedy this, I currently have a block on sshd of ALL users on my
system except a random one. That user account has a pretty secure
password which is not likely to fall victim to a dictionary attack.
Just to make sure that it doesn't get dictionaried particularly much (I
was noting some 180 - 300 attempts per host at cracking sshd before the
next fix I put in place), I installed Blockhosts python script and set
it up to be particularly harsh. I now allow only 3 failed attempts from
any single IP outside my LAN, before blocking the IP for a significant
period of time. I am currently blocking 11 hosts, though have been
blocking as many as 30. So, other than the hosts that stopped before 3
attempts, I've managed to reduce my attacks by between 99 and 99.5 % of
the total number that would have been reaching sshd otherwise. I have
had no attacks attempted against that account at all, meaning that every
single attack that had been attempted before being blocked couldn't have
Blockhosts can be found at http://www.aczoom.com/cms/blockhosts/
I had to install Python 2.4 from pkgsrc before being able to get this to
work. At some point, I'll be certain to look into the next step of
linking this in with ipfilter (and setting up ipfilter), on the grounds
that it would be nice to stop ANY communication coming in from these
hosts once they've tried to break my system.
Hope that's of some help?
On the side against dealing with a broken system, I believe the general
advice given here has been to rebuild from scratch. As inconvenient as
it is, I have to agree with this. There simply is no possible way to be
certain what has been done to a system once it is believed to have been
>> http://fail2ban.sourceforge.net/ or similar ? (not tried it myself) Any
>> other suggestions ?
> How about using pkgsrc/security/pam-af ?
> "Of course I love NetBSD":-)
> OBATA Akio / obache@NetBSD.org