netbsd-users: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?

Subject: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
To: Ignatios Souvatzis <is@netbsd.org>
From: Marius ROMAN <marius.roman@gmail.com>
List: netbsd-users
Date: 01/12/2007 16:28:30

If you use PF you can add something like :

table <bruteforce> persist
block quick from <bruteforce>
pass in on $ext_if proto tcp from any to any port 22 \
        flags S/SA keep state \
	(max-src-conn 3, max-src-conn-rate 3/10, \
         overload <bruteforce> flush global)

-- 
GPG KeyID: 601CB35E
GPG Fingerprint: 17C7 BB76 DF3C 0E54 472E 6154 8AC9 FC1B 601C B35E

On 1/12/07, Ignatios Souvatzis <is@netbsd.org> wrote:
> On Fri, Jan 12, 2007 at 11:34:33AM +0000, Chavdar Ivanov wrote:
> > On 1/12/07, Water NB <netbsd78@126.com> wrote:
> > >In the recent days, a cracker always attack my host.
> > >The cracker's IP is from Japan, Croatia and some coutries.
> > If you ask me, once he is been there, the box is compromised. You have
> > to search for rootkits etc. I wouldn't bother, if I were you; I would
> > start from scratch.
>
> Good advice, normally.
>
> > >
> > >Question 1) Is it a bug of sshd?
> >
> > Not likely - but see below.
> >
> > >Yesterday, I change the password of cyrus to 16 characters which contain
> > >digit, symbol and  capital/lowercase letter, So I think it is more
> > >secure.
> > >But this morning I found the cracker still logined the system after only
> > >two tries.
> >
> > Key logger? I don't know if such a thing exists for NetBSD, but
> > wouldn't be surprised.
>
> Well, once the guy is "in" and has a priviledged account, he can change
> the passwd program... and if he only wants to capture cyrus' new password,
> he can change cyrus' passwd.
>
> > >
> > >Question 2) why /etc/passwd:cyrus has Shell: /bin/sh?
> > >I think /sbin/nologin is enough.
> > >In fact, when I change it to /sbin/nologin, the cracker stop cracking
> > >because he has to logout once he login.
>
> This should be suggested to either the pkg maintainers or to the cyrus
> maintainers. Please send a pr about this so that this suggestion isn't
> lost.
>
> For the record: due to lazyness, I didn't block port 22 when returning
> from my last conference, so I have my authlog full of
>
> Jan 11 18:32:42 marie sshd[4035]: Invalid user takagi from 70.129.216.130
> Jan 11 18:32:42 marie sshd[4035]: Failed password for invalid user takagi from 70.129.216.130 port 47462 ssh2
>
> and similar.
>
> *shrug* such is life - I normally use a different port for ssh to
> avoid clogging my authlog with this...
>
> Maybe I should sweep it and notify the admins of those systems.
>
> Regards,
>         -is
> --
> seal your e-mail: http://www.gnupg.org/
>