Subject: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
To: Eric Rudolph Pizzani <erp@digitalserenity.net>
From: Brian McEwen <bmcewen@comcast.net>
List: tech-pkg
Date: 01/12/2007 07:10:30
Pooling two emails in one:
On Jan 12, 2007, at 4:17 AM, Water NB wrote:
> But this morning I found the cracker still logined the system after
> only
> two tries.
> It is impossible to try 2 times to get the correct password.
> So I guess that he used the bug of sshd.
> What bug? I don't know.
Seems as if it were a sshd bug he'd been in earlier? cyrus is most
likely.
Nothing leapt out when I checked secunia.org though.
> Question 5) empty password means needn't password?
> Or means any passwords are invalid?
There is a config setting
PermitEmptyPasswords no
to help in case some get created by mistake.
===============================
On Jan 12, 2007, at 6:20 AM, Eric Rudolph Pizzani wrote:
> Is there a way of implementing a block on any IP addresses that
> try to login too much? That would probably slow down the crackers
> ability to brute force a login, or whatever it is that he does.
see http://denyhosts.sourceforge.net/
for a pretty capable solution, if you don't mind having python running.
Also see some tips from Alex at
http://restorecd.homeunix.org/NetBSD/
for a script that you might use/tweak that is similar in effect to
DenyHosts plus info on spawning a sleep command in hosts.deny that
deters most 'bot attacks due to timeout.
Luck,
Brian