Subject: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
To: Eric Rudolph Pizzani <erp@digitalserenity.net>
From: Brian McEwen <bmcewen@comcast.net>
List: tech-net
Date: 01/12/2007 07:10:30
Pooling two emails in one:


On Jan 12, 2007, at 4:17 AM, Water NB wrote:

> But this morning I found the cracker still logined the system after  
> only
> two tries.
> It is impossible to try 2 times to get the correct password.
> So I guess that he used the bug of sshd.
> What bug? I don't know.

Seems as if it were a sshd bug he'd been in earlier?  cyrus is most  
likely.
Nothing leapt out when I checked secunia.org though.

> Question 5) empty password means needn't password?
> Or means any passwords are invalid?

There is a config setting
PermitEmptyPasswords no
to help in case some get created by mistake.

===============================

On Jan 12, 2007, at 6:20 AM, Eric Rudolph Pizzani wrote:

>  Is there a way of implementing a block on any IP addresses that  
> try to login too much? That would probably slow down the crackers  
> ability to brute force a login, or whatever it is that he does.

see http://denyhosts.sourceforge.net/
for a pretty capable solution, if you don't mind having python running.

Also see some tips from Alex at
http://restorecd.homeunix.org/NetBSD/

for a script that you might use/tweak  that is similar in effect to  
DenyHosts plus info on spawning a sleep command in hosts.deny that  
deters most 'bot attacks due to timeout.

Luck,

Brian