pkgsrc-users: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?

Subject: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
To: None <pkgsrc-users@NetBSD.org>
From: Steve Brown <steve@daedilus.org>
List: pkgsrc-users
Date: 01/13/2007 19:11:56

Hi,

I spotted this going on with my system very early on, being a keen 
observer of my logs.

To remedy this, I currently have a block on sshd of ALL users on my 
system except a random one.  That user account has a pretty secure 
password which is not likely to fall victim to a dictionary attack.

Just to make sure that it doesn't get dictionaried particularly much (I 
was noting some 180 - 300 attempts per host at cracking sshd before the 
next fix I put in place), I installed Blockhosts python script and set 
it up to be particularly harsh.  I now allow only 3 failed attempts from 
any single IP outside my LAN, before blocking the IP for a significant 
period of time.  I am currently blocking 11 hosts, though have been 
blocking as many as 30.  So, other than the hosts that stopped before 3 
attempts, I've managed to reduce my attacks by between 99 and 99.5 % of 
the total number that would have been reaching sshd otherwise.  I have 
had no attacks attempted against that account at all, meaning that every 
single attack that had been attempted before being blocked couldn't have 
succeeded anyway.

Blockhosts can be found at http://www.aczoom.com/cms/blockhosts/

I had to install Python 2.4 from pkgsrc before being able to get this to 
work.  At some point, I'll be certain to look into the next step of 
linking this in with ipfilter (and setting up ipfilter), on the grounds 
that it would be nice to stop ANY communication coming in from these 
hosts once they've tried to break my system.

Hope that's of some help?

On the side against dealing with a broken system, I believe the general 
advice given here has been to rebuild from scratch.  As inconvenient as 
it is, I have to agree with this.  There simply is no possible way to be 
certain what has been done to a system once it is believed to have been 
compromised.

Steve
>> http://fail2ban.sourceforge.net/ or similar ? (not tried it myself)  Any
>> other suggestions ?
>>     
>
> How about using pkgsrc/security/pam-af ?
>
> --
> "Of course I love NetBSD":-)
> OBATA Akio / obache@NetBSD.org
>
>