This seems a brute force attack. You can use fail2ban to prevent it. http://www.fail2ban.org/wiki/index.php/Main_Page And strong passwords, of course. -----Mensaje original----- De: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] En nombre de Richard Chapman Enviado el: viernes, 02 de mayo de 2008 15:55 Para: secureshell@xxxxxxxxxxxxxxxxx Asunto: ssh security question Hi I don't now much about ssh - but I use it to connect to my centos server with nx. Normally - I only do this on our local network and have port 22 disabled in the internet firewall. Recently - I was away from the office - and enabled port 22 on the firewall - so I could access the centos server remotely. I thought ssh had pretty good security - and nx uses a key to allow access. However - after only a day with port 22 enabled - I had some sort of attack reported by the firewall - and I had the following in my logwatch... --------------------- pam_unix Begin ------------------------ smtp: Unknown Entries: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= : 155 Time(s) check pass; user unknown: 155 Time(s) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=richard: 1 Time(s) bad username [!]: 1 Time(s) bad username [*]: 1 Time(s) sshd: Authentication Failures: unknown (60.12.1.158): 1581 Time(s) root (60.12.1.158): 82 Time(s) sshd (60.12.1.158): 4 Time(s) mysql (60.12.1.158): 3 Time(s) richard (60.12.1.158): 3 Time(s) gopher (60.12.1.158): 2 Time(s) halt (60.12.1.158): 2 Time(s) mail (60.12.1.158): 2 Time(s) mailnull (60.12.1.158): 2 Time(s) max (60.12.1.158): 2 Time(s) nfsnobody (60.12.1.158): 2 Time(s) nobody (60.12.1.158): 2 Time(s) postgres (60.12.1.158): 2 Time(s) squid (60.12.1.158): 2 Time(s) adm (60.12.1.158): 1 Time(s) ais (60.12.1.158): 1 Time(s) apache (60.12.1.158): 1 Time(s) bin (60.12.1.158): 1 Time(s) daemon (60.12.1.158): 1 Time(s) ftp (60.12.1.158): 1 Time(s) games (60.12.1.158): 1 Time(s) gdm (60.12.1.158): 1 Time(s) haldaemon (60.12.1.158): 1 Time(s) lp (60.12.1.158): 1 Time(s) named (60.12.1.158): 1 Time(s) news (60.12.1.158): 1 Time(s) nscd (60.12.1.158): 1 Time(s) ntp (60.12.1.158): 1 Time(s) nut (60.12.1.158): 1 Time(s) operator (60.12.1.158): 1 Time(s) pcap (60.12.1.158): 1 Time(s) piranha (60.12.1.158): 1 Time(s) postfix (60.12.1.158): 1 Time(s) rpc (60.12.1.158): 1 Time(s) rpcuser (60.12.1.158): 1 Time(s) rpm (60.12.1.158): 1 Time(s) shutdown (60.12.1.158): 1 Time(s) smmsp (60.12.1.158): 1 Time(s) sync (60.12.1.158): 1 Time(s) tim (60.12.1.158): 1 Time(s) uucp (60.12.1.158): 1 Time(s) webalizer (60.12.1.158): 1 Time(s) Invalid Users: Unknown Account: 1581 Time(s) Can anyone tell me what is going on here. It looks like someone is trying to find usernames by just testing a list. They appear to have found 3 of our usernames - but hopefully not the passwords. How much of a security issue is this? If they did guess a password - would they have full shell access? If so - how is this any better than (say) telnet? Are there any settings I can and should do to restrict access further? I have blocked port 22 in the firewall for the time being. Can I set up a shared private key or similar? Many thanks Richard
