RE: ssh security question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi

They were doing a simple dictionary attack using common usernames and it
is likely they have a brute force password tool as well.

> How much of a security issue is this? If they did guess a password -
would they have 
> full shell access? If so - how is this any better than
> (say) telnet?
SSH is encrypted, so all traffic is encrypted... ALL traffic is
encrypted, under telnet NO TRAFFIC is encrypted.  So a simple packet
sniffer can catch your passwords, and it would make it trivial to log in
to your system.  This also depends on the accounts they discovered, if
the account they found has no shell associated with it, or is "nologon"
then they can't do any damage... However if they do have shell access,
they would have whatever that user's access is.

> Are there any settings I can and should do to restrict access further?
I have blocked 
> port 22 in the firewall for the time being. Can I set up a shared
private key or 
> similar?

Your best bet is to ensure your passwords are not easy to crack, I use
passwords that are a mixture of upper case, lowercase, spaces and
special characters  - this makes it very difficult to brute force.  
The other thing you should do is ensure root cannot login remotely, and
to ensure that sudo access is limited to your most secure user.

You can set up a shared private key, there is instruction here if you
need it:
http://gentoo-wiki.com/SECURITY_SSH_without_a_password
 
Regards,
Evan Stawnyczy
Information Security Specialist (UNIX) | CIBC Enterprise Information
Security

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Richard Chapman
Sent: Friday, May 02, 2008 9:55 AM
To: secureshell@xxxxxxxxxxxxxxxxx
Subject: ssh security question

Hi
I don't now much about ssh - but I use it to connect to my centos server
with nx. Normally - I only do this on our local network and have port 22
disabled in the internet firewall.
Recently - I was away from the office - and enabled port 22 on the
firewall - so I could access the centos server remotely. I thought ssh
had pretty good security - and nx uses a key to allow access.

However - after only a day with port 22 enabled - I had some sort of
attack reported by the firewall - and I had the following in my
logwatch...

--------------------- pam_unix Begin ------------------------ 

 smtp:
    Unknown Entries:
       authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
: 155 Time(s)
       check pass; user unknown: 155 Time(s)
       authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=richard: 1 Time(s)
       bad username [!]: 1 Time(s)
       bad username [*]: 1 Time(s)
 
 sshd:
    Authentication Failures:
       unknown (60.12.1.158): 1581 Time(s)
       root (60.12.1.158): 82 Time(s)
       sshd (60.12.1.158): 4 Time(s)
       mysql (60.12.1.158): 3 Time(s)
       richard (60.12.1.158): 3 Time(s)
       gopher (60.12.1.158): 2 Time(s)
       halt (60.12.1.158): 2 Time(s)
       mail (60.12.1.158): 2 Time(s)
       mailnull (60.12.1.158): 2 Time(s)
       max (60.12.1.158): 2 Time(s)
       nfsnobody (60.12.1.158): 2 Time(s)
       nobody (60.12.1.158): 2 Time(s)
       postgres (60.12.1.158): 2 Time(s)
       squid (60.12.1.158): 2 Time(s)
       adm (60.12.1.158): 1 Time(s)
       ais (60.12.1.158): 1 Time(s)
       apache (60.12.1.158): 1 Time(s)
       bin (60.12.1.158): 1 Time(s)
       daemon (60.12.1.158): 1 Time(s)
       ftp (60.12.1.158): 1 Time(s)
       games (60.12.1.158): 1 Time(s)
       gdm (60.12.1.158): 1 Time(s)
       haldaemon (60.12.1.158): 1 Time(s)
       lp (60.12.1.158): 1 Time(s)
       named (60.12.1.158): 1 Time(s)
       news (60.12.1.158): 1 Time(s)
       nscd (60.12.1.158): 1 Time(s)
       ntp (60.12.1.158): 1 Time(s)
       nut (60.12.1.158): 1 Time(s)
       operator (60.12.1.158): 1 Time(s)
       pcap (60.12.1.158): 1 Time(s)
       piranha (60.12.1.158): 1 Time(s)
       postfix (60.12.1.158): 1 Time(s)
       rpc (60.12.1.158): 1 Time(s)
       rpcuser (60.12.1.158): 1 Time(s)
       rpm (60.12.1.158): 1 Time(s)
       shutdown (60.12.1.158): 1 Time(s)
       smmsp (60.12.1.158): 1 Time(s)
       sync (60.12.1.158): 1 Time(s)
       tim (60.12.1.158): 1 Time(s)
       uucp (60.12.1.158): 1 Time(s)
       webalizer (60.12.1.158): 1 Time(s)
    Invalid Users:
       Unknown Account: 1581 Time(s)
 

Can anyone tell me what is going on here. It looks like someone is
trying to find usernames by just testing a list. They appear to have
found 3 of our usernames - but hopefully not the passwords.


How much of a security issue is this? If they did guess a password -
would they have full shell access? If so - how is this any better than
(say) telnet?

Are there any settings I can and should do to restrict access further? I
have blocked port 22 in the firewall for the time being. Can I set up a
shared private key or similar?

Many thanks

Richard







[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux