I've had someone do something similar on not only my NetBSD on Alpha, but 
also Debian running on m68k. Although from what I could tell the guy 
couldn't get in but same kind of thing, always tries stupid names like 
mgrt1 or something, and just common first names, as well as account names 
like root and admin. All night. It was coming from some place that had an 
empty website (that is, it was running a web server). Can't remember where 
from now. He also tried to break a friend's linux i386 box in much the 
same fasion. I'm kind of eager to find out how he managed to break the cyrus 
account. I suppose the best temporary solution is to change all non-user accounts to use nologin? Is there a way 
of implementing a block on any IP addresses that try to login too much? 
That would probably slow down the crackers ability to brute force a login, 
or whatever it is that he does.

Thanks

  On Fri, 12 Jan 2007, Water NB wrote:

> Date: Fri, 12 Jan 2007 17:17:13 +0800
> From: Water NB <netbsd78@126.com>
> To: pkgsrc-users@NetBSD.org
> Cc: tech-net@NetBSD.org, tech-pkg@NetBSD.org, netbsd-users@NetBSD.org
> Subject: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
> 
> In the recent days, a cracker always attack my host.
> The cracker's IP is from Japan, Croatia and some coutries.
> But I guess it is the same cracker and remote-conrolled those hosts.
> Because he always did the same works: