[KLUG Members] Database userid crack attempts?

[Adam Williams]

> I've been getting a bunch of ssh login attempts on various computers on
> my network from someone trying the user names "mysql" and "postgres".

Not on RedHat.  That Postgresql TGZ doesn't either - it creates aid user
but with "!!" in the password field (last time I looked).

> Do either of those two packages come (or used to come) with a default
> user/password combination?  Or is this just a real stupid cracker?

Maybe a really long time ago.  Or he could just be looking for really
stupid admins.

> Aug 28 13:15:51 klug sshd[25484]: Did not receive identification string from 210.55.105.189
> Aug 28 13:16:12 klug sshd[25489]: input_userauth_request: illegal user mysql
> Aug 28 13:16:12 klug sshd[25489]: Failed none for illegal user mysql from 210.55.105.189 port 2095 ssh2
> Aug 28 13:16:12 klug sshd[25489]: Failed keyboard-interactive for illegal user mysql from 210.55.105.189 port 2095 ssh2
> Aug 28 13:16:13 klug sshd[25489]: Failed password for illegal user mysql from 210.55.105.189 port 2095 ssh2
> Aug 28 13:16:13 klug sshd[25489]: Connection closed by 210.55.105.189
> Aug 28 13:16:15 klug sshd[25490]: Failed password for postgres from 210.55.105.189 port 2156 ssh2
> Aug 28 13:16:15 klug sshd[25490]: Connection closed by 210.55.105.189

I use pam list file to just make logging in as a user not it a specific
group impossible,  regardless of if you can guess the
username/password.  Just an extra layer of sleep-good-at-night.

#%PAM-1.0
auth       required     /lib/security/pam_listfile.so onerr=fail
item=group sense=allow file=/etc/security/login_limit_list.conf
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_stack.so service=system-auth
.....

[root@littleboy pam.d]# cat /etc/security/login_limit_list.conf
cis
root
sys
adm