Hi They were doing a simple dictionary attack using common usernames and it is likely they have a brute force password tool as well. > How much of a security issue is this? If they did guess a password - would they have > full shell access? If so - how is this any better than > (say) telnet? SSH is encrypted, so all traffic is encrypted... ALL traffic is encrypted, under telnet NO TRAFFIC is encrypted. So a simple packet sniffer can catch your passwords, and it would make it trivial to log in to your system. This also depends on the accounts they discovered, if the account they found has no shell associated with it, or is "nologon" then they can't do any damage... However if they do have shell access, they would have whatever that user's access is. > Are there any settings I can and should do to restrict access further? I have blocked > port 22 in the firewall for the time being. Can I set up a shared private key or > similar? Your best bet is to ensure your passwords are not easy to crack, I use passwords that are a mixture of upper case, lowercase, spaces and special characters - this makes it very difficult to brute force. The other thing you should do is ensure root cannot login remotely, and to ensure that sudo access is limited to your most secure user. You can set up a shared private key, there is instruction here if you need it: http://gentoo-wiki.com/SECURITY_SSH_without_a_password Regards, Evan Stawnyczy Information Security Specialist (UNIX) | CIBC Enterprise Information Security -----Original Message----- From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Richard Chapman Sent: Friday, May 02, 2008 9:55 AM To: secureshell@xxxxxxxxxxxxxxxxx Subject: ssh security question Hi I don't now much about ssh - but I use it to connect to my centos server with nx. Normally - I only do this on our local network and have port 22 disabled in the internet firewall. Recently - I was away from the office - and enabled port 22 on the firewall - so I could access the centos server remotely. I thought ssh had pretty good security - and nx uses a key to allow access. However - after only a day with port 22 enabled - I had some sort of attack reported by the firewall - and I had the following in my logwatch... --------------------- pam_unix Begin ------------------------ smtp: Unknown Entries: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= : 155 Time(s) check pass; user unknown: 155 Time(s) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=richard: 1 Time(s) bad username [!]: 1 Time(s) bad username [*]: 1 Time(s) sshd: Authentication Failures: unknown (60.12.1.158): 1581 Time(s) root (60.12.1.158): 82 Time(s) sshd (60.12.1.158): 4 Time(s) mysql (60.12.1.158): 3 Time(s) richard (60.12.1.158): 3 Time(s) gopher (60.12.1.158): 2 Time(s) halt (60.12.1.158): 2 Time(s) mail (60.12.1.158): 2 Time(s) mailnull (60.12.1.158): 2 Time(s) max (60.12.1.158): 2 Time(s) nfsnobody (60.12.1.158): 2 Time(s) nobody (60.12.1.158): 2 Time(s) postgres (60.12.1.158): 2 Time(s) squid (60.12.1.158): 2 Time(s) adm (60.12.1.158): 1 Time(s) ais (60.12.1.158): 1 Time(s) apache (60.12.1.158): 1 Time(s) bin (60.12.1.158): 1 Time(s) daemon (60.12.1.158): 1 Time(s) ftp (60.12.1.158): 1 Time(s) games (60.12.1.158): 1 Time(s) gdm (60.12.1.158): 1 Time(s) haldaemon (60.12.1.158): 1 Time(s) lp (60.12.1.158): 1 Time(s) named (60.12.1.158): 1 Time(s) news (60.12.1.158): 1 Time(s) nscd (60.12.1.158): 1 Time(s) ntp (60.12.1.158): 1 Time(s) nut (60.12.1.158): 1 Time(s) operator (60.12.1.158): 1 Time(s) pcap (60.12.1.158): 1 Time(s) piranha (60.12.1.158): 1 Time(s) postfix (60.12.1.158): 1 Time(s) rpc (60.12.1.158): 1 Time(s) rpcuser (60.12.1.158): 1 Time(s) rpm (60.12.1.158): 1 Time(s) shutdown (60.12.1.158): 1 Time(s) smmsp (60.12.1.158): 1 Time(s) sync (60.12.1.158): 1 Time(s) tim (60.12.1.158): 1 Time(s) uucp (60.12.1.158): 1 Time(s) webalizer (60.12.1.158): 1 Time(s) Invalid Users: Unknown Account: 1581 Time(s) Can anyone tell me what is going on here. It looks like someone is trying to find usernames by just testing a list. They appear to have found 3 of our usernames - but hopefully not the passwords. How much of a security issue is this? If they did guess a password - would they have full shell access? If so - how is this any better than (say) telnet? Are there any settings I can and should do to restrict access further? I have blocked port 22 in the firewall for the time being. Can I set up a shared private key or similar? Many thanks Richard