Re: ssh security question

[Tim Shubitz <tshubitz@xxxxxxx>]

Richard,
   Someone is attempting to use a dictionary or brute-force attack  
against your SSH server.

I use DenyHosts to thwart such nefarious activity.

You can check it out here: http://denyhosts.sourceforge.net/

It's relatively simple to setup and I believe that there's a CentOS  
package for it (yum search denyhosts).

Have a great day.

- tim


On May 2, 2008, at 8:55 AM, Richard Chapman wrote:

> Hi
> I don't now much about ssh - but I use it to connect to my centos  
> server with nx. Normally - I only do this on our local network and  
> have port 22 disabled in the internet firewall.
> Recently - I was away from the office - and enabled port 22 on the  
> firewall - so I could access the centos server remotely. I thought  
> ssh had pretty good security - and nx uses a key to allow access.
>
> However - after only a day with port 22 enabled - I had some sort of  
> attack reported by the firewall - and I had the following in my  
> logwatch...
>
> --------------------- pam_unix Begin ------------------------
> smtp:
>   Unknown Entries:
>      authentication failure; logname= uid=0 euid=0 tty= ruser=  
> rhost= : 155 Time(s)
>      check pass; user unknown: 155 Time(s)
>      authentication failure; logname= uid=0 euid=0 tty= ruser=  
> rhost=  user=richard: 1 Time(s)
>      bad username [!]: 1 Time(s)
>      bad username [*]: 1 Time(s)
> sshd:
>   Authentication Failures:
>      unknown (60.12.1.158): 1581 Time(s)
>      root (60.12.1.158): 82 Time(s)
>      sshd (60.12.1.158): 4 Time(s)
>      mysql (60.12.1.158): 3 Time(s)
>      richard (60.12.1.158): 3 Time(s)
>      gopher (60.12.1.158): 2 Time(s)
>      halt (60.12.1.158): 2 Time(s)
>      mail (60.12.1.158): 2 Time(s)
>      mailnull (60.12.1.158): 2 Time(s)
>      max (60.12.1.158): 2 Time(s)
>      nfsnobody (60.12.1.158): 2 Time(s)
>      nobody (60.12.1.158): 2 Time(s)
>      postgres (60.12.1.158): 2 Time(s)
>      squid (60.12.1.158): 2 Time(s)
>      adm (60.12.1.158): 1 Time(s)
>      ais (60.12.1.158): 1 Time(s)
>      apache (60.12.1.158): 1 Time(s)
>      bin (60.12.1.158): 1 Time(s)
>      daemon (60.12.1.158): 1 Time(s)
>      ftp (60.12.1.158): 1 Time(s)
>      games (60.12.1.158): 1 Time(s)
>      gdm (60.12.1.158): 1 Time(s)
>      haldaemon (60.12.1.158): 1 Time(s)
>      lp (60.12.1.158): 1 Time(s)
>      named (60.12.1.158): 1 Time(s)
>      news (60.12.1.158): 1 Time(s)
>      nscd (60.12.1.158): 1 Time(s)
>      ntp (60.12.1.158): 1 Time(s)
>      nut (60.12.1.158): 1 Time(s)
>      operator (60.12.1.158): 1 Time(s)
>      pcap (60.12.1.158): 1 Time(s)
>      piranha (60.12.1.158): 1 Time(s)
>      postfix (60.12.1.158): 1 Time(s)
>      rpc (60.12.1.158): 1 Time(s)
>      rpcuser (60.12.1.158): 1 Time(s)
>      rpm (60.12.1.158): 1 Time(s)
>      shutdown (60.12.1.158): 1 Time(s)
>      smmsp (60.12.1.158): 1 Time(s)
>      sync (60.12.1.158): 1 Time(s)
>      tim (60.12.1.158): 1 Time(s)
>      uucp (60.12.1.158): 1 Time(s)
>      webalizer (60.12.1.158): 1 Time(s)
>   Invalid Users:
>      Unknown Account: 1581 Time(s)
>
> Can anyone tell me what is going on here. It looks like someone is  
> trying to find usernames by just testing a list. They appear to have  
> found 3 of our usernames - but hopefully not the passwords.
>
>
> How much of a security issue is this? If they did guess a password -  
> would they have full shell access? If so - how is this any better  
> than (say) telnet?
>
> Are there any settings I can and should do to restrict access  
> further? I have blocked port 22 in the firewall for the time being.  
> Can I set up a shared private key or similar?
>
> Many thanks
>
> Richard

Attachment: smime.p7s
Description: S/MIME cryptographic signature