pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?



On 1/12/07, Water NB <netbsd78%126.com@localhost> wrote:
In the recent days, a cracker always attack my host.
The cracker's IP is from Japan, Croatia and some coutries.
But I guess it is the same cracker and remote-conrolled those hosts.
Because he always did the same works:
1) try to ssh account one by one: root, postfix, ... cyrus.
2) at last, login successfully via account cyrus.
3) install a program psyBNC 2.3.1 under /tmp and run it.

I was hit once on an old Solaris 2.6x86 box, which I meant to replace
for more than a year and didn't bother to secure it properly...
Luckily I noticed this within a few days and was able quickly to find
some new hardware and move that server functions to another system (in
this case FreeBSD 6.0).

4) sometimes he changes the password of cyrus.

If you ask me, once he is been there, the box is compromised. You have
to search for rootkits etc. I wouldn't bother, if I were you; I would
start from scratch.


Question 1) Is it a bug of sshd?

Not likely - but see below.

Yesterday, I change the password of cyrus to 16 characters which contain
digit, symbol and  capital/lowercase letter, So I think it is more
secure.
But this morning I found the cracker still logined the system after only
two tries.

Key logger? I don't know if such a thing exists for NetBSD, but
wouldn't be surprised.

It is impossible to try 2 times to get the correct password.
So I guess that he used the bug of sshd.
What bug? I don't know.

Question 2) why /etc/passwd:cyrus has Shell: /bin/sh?
I think /sbin/nologin is enough.
In fact, when I change it to /sbin/nologin, the cracker stop cracking
because he has to logout once he login.

I don't know, I run courier.


Question 3) How to setup a secret system?

Well, that's the 64000$ one...

I am so worried with the fixed-IP-host in public network.


Question 4) How to log what passwords the cracker used in ssh session?
Or I need modify sshd source?

Question 5) empty password means needn't password?
Or means any passwords are invalid?

My system:
# uname -a
NetBSD serv01 3.1_STABLE NetBSD 3.1_STABLE (386nb3) #3: Sat Dec 30
11:50:47 CST
2006  water@serv01:/usr/world/386o3/sys/arch/i386/compile/386nb3 i386

# ssh -v
OpenSSH_3.9 NetBSD_Secure_Shell-20061016, OpenSSL 0.9.7d 17 Mar 2004

Running: apache2, postfix-2.3.5 (from pkgsrc), dovecot, mysqld, sshd,
named
Installed: cyrus-sasl-2.1.22, php5.2.0

Authlog:

...
Jan 12 00:07:04 mail sshd[19307]: Accepted password for cyrus from
AAA.BBB.CCC.DDD port 57622 ssh2
(!!!!!)


Configure sshd with something like:

....
# Authentication:

LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 6

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# Change to yes to enable built-in password authentication.
PasswordAuthentication no
PermitEmptyPasswords no

# Change to no to disable PAM authentication
ChallengeResponseAuthentication no
....

and setup passwordless ssh logins from the hosts you are likely to use
to login to that server; google for passwordless ssh login (i.e.
http://www.securitydocs.com/library/3385 )

Chavdar



Home | Main Index | Thread Index | Old Index