Subject: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
To: Joseph A. Dacuma <>
From: Water NB <>
List: tech-pkg
Date: 01/12/2007 22:56:38
Subject: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
Reply-To: Water NB <>
In-Reply-To: <>

I learn much from your advices, thanks.

1) cyrus
I want to update my Question 5:
the passwd of cyrus may be not empty. In original /etc/master.passwd:
cyrus:*************:1008:6::0:0:cyrus-sasl cyrus

For further study this problem:
I re-install cyrus-sasl on another NetBSD-3.1 box,
account cyrus couldn't login via ssh even when I enable
"PermitEmptyPasswords yes".
Now, I am very interested in how cracker login sshd and try only 2

2) SSH
My host provides web and mail services and need update sometimes.
And others PC are behind a dynamic IP (ADSL).
So I couldn't limit source IP.

I think AllowGroups, AllowUsers are good configuration option for me,
because the real account is very few.

For security reason, I suggests sshd should:
remember the IP of fialed-login, and deny any session from it within an
hour or more.
Or pkgsrc/security/pam-af is a good choice.

I have not used tripwire on NetBSD, but used it on Linux.
I think NetBSD's everyday security check is good too.
I found passwd changed through its report and then found attack.

I am glad the system is healthy still. Or I should believe NetBSD is a
strong OS.

4) more security
It should let cracker don't know how we running:
which OS, which SSHD, wich HTTPD, ...
Thanks again!