Re: network perf : em driver ?

On 1/12/07, Water NB <netbsd78126.com> wrote:
> In the recent days, a cracker always attack my host.
> The cracker's IP is from Japan, Croatia and some
coutries.
> But I guess it is the same cracker and remote-conrolled
those hosts.
> Because he always did the same works:
> 1) try to ssh account one by one: root, postfix, ...
cyrus.
> 2) at last, login successfully via account cyrus.
> 3) install a program psyBNC 2.3.1 under /tmp and run
it.

I was hit once on an old Solaris 2.6x86 box, which I meant
to replace
for more than a year and didn't bother to secure it
properly...
Luckily I noticed this within a few days and was able
quickly to find
some new hardware and move that server functions to another
system (in
this case FreeBSD 6.0).

> 4) sometimes he changes the password of cyrus.

If you ask me, once he is been there, the box is
compromised. You have
to search for rootkits etc. I wouldn't bother, if I were
you; I would
start from scratch.

>
> Question 1) Is it a bug of sshd?

Not likely - but see below.

> Yesterday, I change the password of cyrus to 16
characters which contain
> digit, symbol and  capital/lowercase letter, So I think
it is more
> secure.
> But this morning I found the cracker still logined the
system after only
> two tries.

Key logger? I don't know if such a thing exists for NetBSD,
but
wouldn't be surprised.

> It is impossible to try 2 times to get the correct
password.
> So I guess that he used the bug of sshd.
> What bug? I don't know.
>
> Question 2) why /etc/passwd:cyrus has Shell: /bin/sh?
> I think /sbin/nologin is enough.
> In fact, when I change it to /sbin/nologin, the cracker
stop cracking
> because he has to logout once he login.

I don't know, I run courier.

>
> Question 3) How to setup a secret system?

Well, that's the 64000$ one...

> I am so worried with the fixed-IP-host in public
network.
>

> Question 4) How to log what passwords the cracker used
in ssh session?
> Or I need modify sshd source?
>
> Question 5) empty password means needn't password?
> Or means any passwords are invalid?
>
> My system:
> # uname -a
> NetBSD serv01 3.1_STABLE NetBSD 3.1_STABLE (386nb3) #3:
Sat Dec 30
> 11:50:47 CST
> 2006  waterserv01:/usr/world/386o3/sys/arch/i386/compile/386nb3
i386
>
> # ssh -v
> OpenSSH_3.9 NetBSD_Secure_Shell-20061016, OpenSSL
0.9.7d 17 Mar 2004
>
> Running: apache2, postfix-2.3.5 (from pkgsrc), dovecot,
mysqld, sshd,
> named
> Installed: cyrus-sasl-2.1.22, php5.2.0
>
> Authlog:
>
..
> Jan 12 00:07:04 mail sshd[19307]: Accepted password for
cyrus from
> AAA.BBB.CCC.DDD port 57622 ssh2
> (!!!!!)
>

Configure sshd with something like:

...
# Authentication:

LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 6

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys

# For this to work you will also need host keys in
/etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# Change to yes to enable built-in password authentication.
PasswordAuthentication no
PermitEmptyPasswords no

# Change to no to disable PAM authentication
ChallengeResponseAuthentication no
...

and setup passwordless ssh logins from the hosts you are
likely to use
to login to that server; google for passwordless ssh login
(i.e.
http://www.s
ecuritydocs.com/library/3385 )

Chavdar