[KLUG Members] Database userid crack attempts?
Adam Williams
members@kalamazoolinux.org
Fri, 29 Aug 2003 10:30:18 -0400
> I've been getting a bunch of ssh login attempts on various computers on
> my network from someone trying the user names "mysql" and "postgres".
Not on RedHat. That Postgresql TGZ doesn't either - it creates aid user
but with "!!" in the password field (last time I looked).
> Do either of those two packages come (or used to come) with a default
> user/password combination? Or is this just a real stupid cracker?
Maybe a really long time ago. Or he could just be looking for really
stupid admins.
> Aug 28 13:15:51 klug sshd[25484]: Did not receive identification string from 210.55.105.189
> Aug 28 13:16:12 klug sshd[25489]: input_userauth_request: illegal user mysql
> Aug 28 13:16:12 klug sshd[25489]: Failed none for illegal user mysql from 210.55.105.189 port 2095 ssh2
> Aug 28 13:16:12 klug sshd[25489]: Failed keyboard-interactive for illegal user mysql from 210.55.105.189 port 2095 ssh2
> Aug 28 13:16:13 klug sshd[25489]: Failed password for illegal user mysql from 210.55.105.189 port 2095 ssh2
> Aug 28 13:16:13 klug sshd[25489]: Connection closed by 210.55.105.189
> Aug 28 13:16:15 klug sshd[25490]: Failed password for postgres from 210.55.105.189 port 2156 ssh2
> Aug 28 13:16:15 klug sshd[25490]: Connection closed by 210.55.105.189
I use pam list file to just make logging in as a user not it a specific
group impossible, regardless of if you can guess the
username/password. Just an extra layer of sleep-good-at-night.
#%PAM-1.0
auth required /lib/security/pam_listfile.so onerr=fail
item=group sense=allow file=/etc/security/login_limit_list.conf
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_stack.so service=system-auth
.....
[root@littleboy pam.d]# cat /etc/security/login_limit_list.conf
cis
root
sys
adm