Hello again, Richard, Oops. I forgot to mention that you'll also want to disable password authentication: # ------------ snip ------------- PasswordAuthentication no PermitEmptyPasswords no # ------------ snip ------------- Antonio On Friday 02 May 2008, Richard Chapman wrote: > Hi > I don't now much about ssh - but I use it to connect to my centos server > with nx. Normally - I only do this on our local network and have port 22 > disabled in the internet firewall. > Recently - I was away from the office - and enabled port 22 on the > firewall - so I could access the centos server remotely. I thought ssh > had pretty good security - and nx uses a key to allow access. > > However - after only a day with port 22 enabled - I had some sort of > attack reported by the firewall - and I had the following in my logwatch... > > --------------------- pam_unix Begin ------------------------ > > smtp: > Unknown Entries: > authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= : > 155 Time(s) check pass; user unknown: 155 Time(s) > authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= > user=richard: 1 Time(s) bad username [!]: 1 Time(s) > bad username [*]: 1 Time(s) > > sshd: > Authentication Failures: > unknown (60.12.1.158): 1581 Time(s) > root (60.12.1.158): 82 Time(s) > sshd (60.12.1.158): 4 Time(s) > mysql (60.12.1.158): 3 Time(s) > richard (60.12.1.158): 3 Time(s) > gopher (60.12.1.158): 2 Time(s) > halt (60.12.1.158): 2 Time(s) > mail (60.12.1.158): 2 Time(s) > mailnull (60.12.1.158): 2 Time(s) > max (60.12.1.158): 2 Time(s) > nfsnobody (60.12.1.158): 2 Time(s) > nobody (60.12.1.158): 2 Time(s) > postgres (60.12.1.158): 2 Time(s) > squid (60.12.1.158): 2 Time(s) > adm (60.12.1.158): 1 Time(s) > ais (60.12.1.158): 1 Time(s) > apache (60.12.1.158): 1 Time(s) > bin (60.12.1.158): 1 Time(s) > daemon (60.12.1.158): 1 Time(s) > ftp (60.12.1.158): 1 Time(s) > games (60.12.1.158): 1 Time(s) > gdm (60.12.1.158): 1 Time(s) > haldaemon (60.12.1.158): 1 Time(s) > lp (60.12.1.158): 1 Time(s) > named (60.12.1.158): 1 Time(s) > news (60.12.1.158): 1 Time(s) > nscd (60.12.1.158): 1 Time(s) > ntp (60.12.1.158): 1 Time(s) > nut (60.12.1.158): 1 Time(s) > operator (60.12.1.158): 1 Time(s) > pcap (60.12.1.158): 1 Time(s) > piranha (60.12.1.158): 1 Time(s) > postfix (60.12.1.158): 1 Time(s) > rpc (60.12.1.158): 1 Time(s) > rpcuser (60.12.1.158): 1 Time(s) > rpm (60.12.1.158): 1 Time(s) > shutdown (60.12.1.158): 1 Time(s) > smmsp (60.12.1.158): 1 Time(s) > sync (60.12.1.158): 1 Time(s) > tim (60.12.1.158): 1 Time(s) > uucp (60.12.1.158): 1 Time(s) > webalizer (60.12.1.158): 1 Time(s) > Invalid Users: > Unknown Account: 1581 Time(s) > > > Can anyone tell me what is going on here. It looks like someone is > trying to find usernames by just testing a list. They appear to have > found 3 of our usernames - but hopefully not the passwords. > > > How much of a security issue is this? If they did guess a password - > would they have full shell access? If so - how is this any better than > (say) telnet? > > Are there any settings I can and should do to restrict access further? I > have blocked port 22 in the firewall for the time being. Can I set up a > shared private key or similar? > > Many thanks > > Richard
