Subject: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
To: Eric Rudolph Pizzani <erp@digitalserenity.net>
From: David Sheryn <dhs@chromiq.org>
List: tech-net
Date: 01/12/2007 12:47:58
On Fri, 12 Jan 2007, Eric Rudolph Pizzani wrote:

> Date: Fri, 12 Jan 2007 22:20:12 +1100 (EST)
> From: Eric Rudolph Pizzani <erp@digitalserenity.net>
> To: Water NB <netbsd78@126.com>
> Cc: pkgsrc-users@NetBSD.org, tech-net@NetBSD.org, tech-pkg@NetBSD.org,
>     netbsd-users@NetBSD.org
> Subject: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
>
> I've had someone do something similar on not only my NetBSD on Alpha, but also
> Debian running on m68k. Although from what I could tell the guy couldn't get
> in but same kind of thing, always tries stupid names like mgrt1 or something,
> and just common first names, as well as account names like root and admin. All
> night. It was coming from some place that had an empty website (that is, it
> was running a web server). Can't remember where from now. He also tried to
> break a friend's linux i386 box in much the same fasion. I'm kind of eager to
> find out how he managed to break the cyrus account. I suppose the best
> temporary solution is to change all non-user accounts to use nologin? Is there
> a way of implementing a block on any IP addresses that try to login too much?
> That would probably slow down the crackers ability to brute force a login, or
> whatever it is that he does.
>

http://fail2ban.sourceforge.net/ or similar ? (not tried it myself)  Any
other suggestions ?


-- 
David Sheryn
david@chromiq.org