Thanks Evan and many others
I really appreciate your advice.
The article you referred me to assumes that both client and server are
unix boxes. In my case - the client is a windows client and the ssh is
embedded into the windows nx client. Is there any reason I can't run
ssh-keygen on the server and copy the private key to the client - and
the public key to the "authorised" directory? Not sure where I would
copy the ssh private key to in this case though...?
I am a bit confused about keys with nx and ssh. Nx has a a private DSA
key in the nx client - which I think I generated on the server. If I
don't have this on the client - nx cannot connect. I always assumed this
was an ssh key. But when I set the "passwordauthentication no" nx can't
connect. Also - I don't have a ~/.ssh/authorized_keys file on the server
- so it looks like ssh key sharing is not set up.... As I say - I am
confused. Do you know whether nx has its own key - independent of ssh?
Regards
Richard
Stawnyczy, Evan wrote:
Hi
They were doing a simple dictionary attack using common usernames and it
is likely they have a brute force password tool as well.
How much of a security issue is this? If they did guess a password -
would they have
full shell access? If so - how is this any better than
(say) telnet?
SSH is encrypted, so all traffic is encrypted... ALL traffic is
encrypted, under telnet NO TRAFFIC is encrypted. So a simple packet
sniffer can catch your passwords, and it would make it trivial to log in
to your system. This also depends on the accounts they discovered, if
the account they found has no shell associated with it, or is "nologon"
then they can't do any damage... However if they do have shell access,
they would have whatever that user's access is.
Are there any settings I can and should do to restrict access further?
I have blocked
port 22 in the firewall for the time being. Can I set up a shared
private key or
similar?
Your best bet is to ensure your passwords are not easy to crack, I use
passwords that are a mixture of upper case, lowercase, spaces and
special characters - this makes it very difficult to brute force.
The other thing you should do is ensure root cannot login remotely, and
to ensure that sudo access is limited to your most secure user.
You can set up a shared private key, there is instruction here if you
need it:
http://gentoo-wiki.com/SECURITY_SSH_without_a_password
Regards,
Evan Stawnyczy
Information Security Specialist (UNIX) | CIBC Enterprise Information
Security
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Richard Chapman
Sent: Friday, May 02, 2008 9:55 AM
To: secureshell@xxxxxxxxxxxxxxxxx
Subject: ssh security question
Hi
I don't now much about ssh - but I use it to connect to my centos server
with nx. Normally - I only do this on our local network and have port 22
disabled in the internet firewall.
Recently - I was away from the office - and enabled port 22 on the
firewall - so I could access the centos server remotely. I thought ssh
had pretty good security - and nx uses a key to allow access.
However - after only a day with port 22 enabled - I had some sort of
attack reported by the firewall - and I had the following in my
logwatch...
--------------------- pam_unix Begin ------------------------
smtp:
Unknown Entries:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
: 155 Time(s)
check pass; user unknown: 155 Time(s)
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=richard: 1 Time(s)
bad username [!]: 1 Time(s)
bad username [*]: 1 Time(s)
sshd:
Authentication Failures:
unknown (60.12.1.158): 1581 Time(s)
root (60.12.1.158): 82 Time(s)
sshd (60.12.1.158): 4 Time(s)
mysql (60.12.1.158): 3 Time(s)
richard (60.12.1.158): 3 Time(s)
gopher (60.12.1.158): 2 Time(s)
halt (60.12.1.158): 2 Time(s)
mail (60.12.1.158): 2 Time(s)
mailnull (60.12.1.158): 2 Time(s)
max (60.12.1.158): 2 Time(s)
nfsnobody (60.12.1.158): 2 Time(s)
nobody (60.12.1.158): 2 Time(s)
postgres (60.12.1.158): 2 Time(s)
squid (60.12.1.158): 2 Time(s)
adm (60.12.1.158): 1 Time(s)
ais (60.12.1.158): 1 Time(s)
apache (60.12.1.158): 1 Time(s)
bin (60.12.1.158): 1 Time(s)
daemon (60.12.1.158): 1 Time(s)
ftp (60.12.1.158): 1 Time(s)
games (60.12.1.158): 1 Time(s)
gdm (60.12.1.158): 1 Time(s)
haldaemon (60.12.1.158): 1 Time(s)
lp (60.12.1.158): 1 Time(s)
named (60.12.1.158): 1 Time(s)
news (60.12.1.158): 1 Time(s)
nscd (60.12.1.158): 1 Time(s)
ntp (60.12.1.158): 1 Time(s)
nut (60.12.1.158): 1 Time(s)
operator (60.12.1.158): 1 Time(s)
pcap (60.12.1.158): 1 Time(s)
piranha (60.12.1.158): 1 Time(s)
postfix (60.12.1.158): 1 Time(s)
rpc (60.12.1.158): 1 Time(s)
rpcuser (60.12.1.158): 1 Time(s)
rpm (60.12.1.158): 1 Time(s)
shutdown (60.12.1.158): 1 Time(s)
smmsp (60.12.1.158): 1 Time(s)
sync (60.12.1.158): 1 Time(s)
tim (60.12.1.158): 1 Time(s)
uucp (60.12.1.158): 1 Time(s)
webalizer (60.12.1.158): 1 Time(s)
Invalid Users:
Unknown Account: 1581 Time(s)
Can anyone tell me what is going on here. It looks like someone is
trying to find usernames by just testing a list. They appear to have
found 3 of our usernames - but hopefully not the passwords.
How much of a security issue is this? If they did guess a password -
would they have full shell access? If so - how is this any better than
(say) telnet?
Are there any settings I can and should do to restrict access further? I
have blocked port 22 in the firewall for the time being. Can I set up a
shared private key or similar?
Many thanks
Richard
