Subject: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
To: Joseph A. Dacuma <jadacuma@ched.gov.ph>
From: Water NB <netbsd78@126.com>
List: tech-net
Date: 01/12/2007 22:56:38
netbsd-users@NetBSD.org
Bcc: 
Subject: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
Reply-To: Water NB <netbsd78@126.com>
In-Reply-To: <65323.124.104.178.41.1168598658.squirrel@co-mail.ched.gov.ph>

I learn much from your advices, thanks.

1) cyrus
I want to update my Question 5:
the passwd of cyrus may be not empty. In original /etc/master.passwd:
cyrus:*************:1008:6::0:0:cyrus-sasl cyrus
user:/nonexistent:/bin/sh

For further study this problem:
I re-install cyrus-sasl on another NetBSD-3.1 box,
account cyrus couldn't login via ssh even when I enable
"PermitEmptyPasswords yes".
Now, I am very interested in how cracker login sshd and try only 2
times.

2) SSH
My host provides web and mail services and need update sometimes.
And others PC are behind a dynamic IP (ADSL).
So I couldn't limit source IP.

I think AllowGroups, AllowUsers are good configuration option for me,
because the real account is very few.

For security reason, I suggests sshd should:
remember the IP of fialed-login, and deny any session from it within an
hour or more.
Or pkgsrc/security/pam-af is a good choice.

3)
I have not used tripwire on NetBSD, but used it on Linux.
I think NetBSD's everyday security check is good too.
I found passwd changed through its report and then found attack.

I am glad the system is healthy still. Or I should believe NetBSD is a
strong OS.

4) more security
It should let cracker don't know how we running:
which OS, which SSHD, wich HTTPD, ...
> 
Thanks again!
>