tech-net: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?

Subject: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
To: David Sheryn <dhs@chromiq.org>
From: Jasper Wallace <jasper@pointless.net>
List: tech-net
Date: 01/12/2007 23:12:57

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 12 Jan 2007, David Sheryn wrote:

> On Fri, 12 Jan 2007, Eric Rudolph Pizzani wrote:
>
>> Date: Fri, 12 Jan 2007 22:20:12 +1100 (EST)
>> From: Eric Rudolph Pizzani <erp@digitalserenity.net>
>> To: Water NB <netbsd78@126.com>
>> Cc: pkgsrc-users@NetBSD.org, tech-net@NetBSD.org, tech-pkg@NetBSD.org,
>>     netbsd-users@NetBSD.org
>> Subject: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
>>
>> I've had someone do something similar on not only my NetBSD on Alpha, but also
>> Debian running on m68k. Although from what I could tell the guy couldn't get
>> in but same kind of thing, always tries stupid names like mgrt1 or something,
>> and just common first names, as well as account names like root and admin. All
>> night. It was coming from some place that had an empty website (that is, it
>> was running a web server). Can't remember where from now. He also tried to
>> break a friend's linux i386 box in much the same fasion. I'm kind of eager to
>> find out how he managed to break the cyrus account. I suppose the best
>> temporary solution is to change all non-user accounts to use nologin? Is there
>> a way of implementing a block on any IP addresses that try to login too much?
>> That would probably slow down the crackers ability to brute force a login, or
>> whatever it is that he does.
>>
>
> http://fail2ban.sourceforge.net/ or similar ? (not tried it myself)  Any
> other suggestions ?

I use blockhosts myself:

http://www.aczoom.com/cms/blockhosts/

it uses the spawn feature of tcpwrappers so dosn't rely on log parseing.

do remember to whitelist ip's you frequently use in hosts.allow!

- -- 
[http://pointless.net/]                                   [0x2ECA0975]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (NetBSD)

iQEVAwUBRagV/ACB+Qwuygl1AQI6iggAk3VgCmybG4tHNtcUt8wPJzrdecT4brXw
PpprJPFjyBWN5krpQO+Tb1mu0lSuWhcBVdFVAkh5VcwxRqfO3TpoXw8lfdTzEvZo
IpsJ64nV91iqkmLvj9BGw8CekUcPKDKI2MLckj6JVqJjy4z9DO7TJph3ZQ1LD+SU
ITjbpVAoA3ojFPP0Ug1OXTZw808tgV3Ctmbqj/FTjq94Bl26YdMY2IQDONkk/awk
gKIN9zfa+3DDieCYCJ0AtAwQvlTDYJevFHJFPD+ULDshOLdwo0+jfXlmKRxV3T0O
ruZcno1lAHEhGLziYMrcYZkq+jgS5vS/rwmt+zPIYNShHtSSLinlGw==
=dkZ4
-----END PGP SIGNATURE-----