Subject: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
To: Water NB <netbsd78@126.com>
From: Eric Rudolph Pizzani <erp@digitalserenity.net>
List: tech-net
Date: 01/12/2007 22:20:12
I've had someone do something similar on not only my NetBSD on Alpha, but
also Debian running on m68k. Although from what I could tell the guy
couldn't get in but same kind of thing, always tries stupid names like
mgrt1 or something, and just common first names, as well as account names
like root and admin. All night. It was coming from some place that had an
empty website (that is, it was running a web server). Can't remember where
from now. He also tried to break a friend's linux i386 box in much the
same fasion. I'm kind of eager to find out how he managed to break the cyrus
account. I suppose the best temporary solution is to change all non-user accounts to use nologin? Is there a way
of implementing a block on any IP addresses that try to login too much?
That would probably slow down the crackers ability to brute force a login,
or whatever it is that he does.
Thanks
On Fri, 12 Jan 2007, Water NB wrote:
> Date: Fri, 12 Jan 2007 17:17:13 +0800
> From: Water NB <netbsd78@126.com>
> To: pkgsrc-users@NetBSD.org
> Cc: tech-net@NetBSD.org, tech-pkg@NetBSD.org, netbsd-users@NetBSD.org
> Subject: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
>
> In the recent days, a cracker always attack my host.
> The cracker's IP is from Japan, Croatia and some coutries.
> But I guess it is the same cracker and remote-conrolled those hosts.
> Because he always did the same works: