ssh security question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi
I don't now much about ssh - but I use it to connect to my centos server with nx. Normally - I only do this on our local network and have port 22 disabled in the internet firewall. Recently - I was away from the office - and enabled port 22 on the firewall - so I could access the centos server remotely. I thought ssh had pretty good security - and nx uses a key to allow access.
However - after only a day with port 22 enabled - I had some sort of attack reported by the firewall - and I had the following in my logwatch...
--------------------- pam_unix Begin ------------------------ 
smtp:
   Unknown Entries:
      authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= : 155 Time(s)
      check pass; user unknown: 155 Time(s)
      authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=richard: 1 Time(s)
      bad username [!]: 1 Time(s)
      bad username [*]: 1 Time(s)

sshd:
   Authentication Failures:
      unknown (60.12.1.158): 1581 Time(s)
      root (60.12.1.158): 82 Time(s)
      sshd (60.12.1.158): 4 Time(s)
      mysql (60.12.1.158): 3 Time(s)
      richard (60.12.1.158): 3 Time(s)
      gopher (60.12.1.158): 2 Time(s)
      halt (60.12.1.158): 2 Time(s)
      mail (60.12.1.158): 2 Time(s)
      mailnull (60.12.1.158): 2 Time(s)
      max (60.12.1.158): 2 Time(s)
      nfsnobody (60.12.1.158): 2 Time(s)
      nobody (60.12.1.158): 2 Time(s)
      postgres (60.12.1.158): 2 Time(s)
      squid (60.12.1.158): 2 Time(s)
      adm (60.12.1.158): 1 Time(s)
      ais (60.12.1.158): 1 Time(s)
      apache (60.12.1.158): 1 Time(s)
      bin (60.12.1.158): 1 Time(s)
      daemon (60.12.1.158): 1 Time(s)
      ftp (60.12.1.158): 1 Time(s)
      games (60.12.1.158): 1 Time(s)
      gdm (60.12.1.158): 1 Time(s)
      haldaemon (60.12.1.158): 1 Time(s)
      lp (60.12.1.158): 1 Time(s)
      named (60.12.1.158): 1 Time(s)
      news (60.12.1.158): 1 Time(s)
      nscd (60.12.1.158): 1 Time(s)
      ntp (60.12.1.158): 1 Time(s)
      nut (60.12.1.158): 1 Time(s)
      operator (60.12.1.158): 1 Time(s)
      pcap (60.12.1.158): 1 Time(s)
      piranha (60.12.1.158): 1 Time(s)
      postfix (60.12.1.158): 1 Time(s)
      rpc (60.12.1.158): 1 Time(s)
      rpcuser (60.12.1.158): 1 Time(s)
      rpm (60.12.1.158): 1 Time(s)
      shutdown (60.12.1.158): 1 Time(s)
      smmsp (60.12.1.158): 1 Time(s)
      sync (60.12.1.158): 1 Time(s)
      tim (60.12.1.158): 1 Time(s)
      uucp (60.12.1.158): 1 Time(s)
      webalizer (60.12.1.158): 1 Time(s)
   Invalid Users:
      Unknown Account: 1581 Time(s)
Can anyone tell me what is going on here. It looks like someone is trying to find usernames by just testing a list. They appear to have found 3 of our usernames - but hopefully not the passwords.
How much of a security issue is this? If they did guess a password - would they have full shell access? If so - how is this any better than (say) telnet?
Are there any settings I can and should do to restrict access further? I have blocked port 22 in the firewall for the time being. Can I set up a shared private key or similar? 

Many thanks

Richard
[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux