RE: ssh security question



Hi

They were doing a simple dictionary attack using common usernames and it
is likely they have a brute force password tool as well.

How much of a security issue is this? If they did guess a password -
would they have
full shell access? If so - how is this any better than
(say) telnet?
SSH is encrypted, so all traffic is encrypted... ALL traffic is
encrypted, under telnet NO TRAFFIC is encrypted. So a simple packet
sniffer can catch your passwords, and it would make it trivial to log in
to your system. This also depends on the accounts they discovered, if
the account they found has no shell associated with it, or is "nologon"
then they can't do any damage... However if they do have shell access,
they would have whatever that user's access is.

Are there any settings I can and should do to restrict access further?
I have blocked
port 22 in the firewall for the time being. Can I set up a shared
private key or
similar?

Your best bet is to ensure your passwords are not easy to crack, I use
passwords that are a mixture of upper case, lowercase, spaces and
special characters - this makes it very difficult to brute force.
The other thing you should do is ensure root cannot login remotely, and
to ensure that sudo access is limited to your most secure user.

You can set up a shared private key, there is instruction here if you
need it:
http://gentoo-wiki.com/SECURITY_SSH_without_a_password

Regards,
Evan Stawnyczy
Information Security Specialist (UNIX) | CIBC Enterprise Information
Security

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Richard Chapman
Sent: Friday, May 02, 2008 9:55 AM
To: secureshell@xxxxxxxxxxxxxxxxx
Subject: ssh security question

Hi
I don't now much about ssh - but I use it to connect to my centos server
with nx. Normally - I only do this on our local network and have port 22
disabled in the internet firewall.
Recently - I was away from the office - and enabled port 22 on the
firewall - so I could access the centos server remotely. I thought ssh
had pretty good security - and nx uses a key to allow access.

However - after only a day with port 22 enabled - I had some sort of
attack reported by the firewall - and I had the following in my
logwatch...

--------------------- pam_unix Begin ------------------------

smtp:
Unknown Entries:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
: 155 Time(s)
check pass; user unknown: 155 Time(s)
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=richard: 1 Time(s)
bad username [!]: 1 Time(s)
bad username [*]: 1 Time(s)

sshd:
Authentication Failures:
unknown (60.12.1.158): 1581 Time(s)
root (60.12.1.158): 82 Time(s)
sshd (60.12.1.158): 4 Time(s)
mysql (60.12.1.158): 3 Time(s)
richard (60.12.1.158): 3 Time(s)
gopher (60.12.1.158): 2 Time(s)
halt (60.12.1.158): 2 Time(s)
mail (60.12.1.158): 2 Time(s)
mailnull (60.12.1.158): 2 Time(s)
max (60.12.1.158): 2 Time(s)
nfsnobody (60.12.1.158): 2 Time(s)
nobody (60.12.1.158): 2 Time(s)
postgres (60.12.1.158): 2 Time(s)
squid (60.12.1.158): 2 Time(s)
adm (60.12.1.158): 1 Time(s)
ais (60.12.1.158): 1 Time(s)
apache (60.12.1.158): 1 Time(s)
bin (60.12.1.158): 1 Time(s)
daemon (60.12.1.158): 1 Time(s)
ftp (60.12.1.158): 1 Time(s)
games (60.12.1.158): 1 Time(s)
gdm (60.12.1.158): 1 Time(s)
haldaemon (60.12.1.158): 1 Time(s)
lp (60.12.1.158): 1 Time(s)
named (60.12.1.158): 1 Time(s)
news (60.12.1.158): 1 Time(s)
nscd (60.12.1.158): 1 Time(s)
ntp (60.12.1.158): 1 Time(s)
nut (60.12.1.158): 1 Time(s)
operator (60.12.1.158): 1 Time(s)
pcap (60.12.1.158): 1 Time(s)
piranha (60.12.1.158): 1 Time(s)
postfix (60.12.1.158): 1 Time(s)
rpc (60.12.1.158): 1 Time(s)
rpcuser (60.12.1.158): 1 Time(s)
rpm (60.12.1.158): 1 Time(s)
shutdown (60.12.1.158): 1 Time(s)
smmsp (60.12.1.158): 1 Time(s)
sync (60.12.1.158): 1 Time(s)
tim (60.12.1.158): 1 Time(s)
uucp (60.12.1.158): 1 Time(s)
webalizer (60.12.1.158): 1 Time(s)
Invalid Users:
Unknown Account: 1581 Time(s)


Can anyone tell me what is going on here. It looks like someone is
trying to find usernames by just testing a list. They appear to have
found 3 of our usernames - but hopefully not the passwords.


How much of a security issue is this? If they did guess a password -
would they have full shell access? If so - how is this any better than
(say) telnet?

Are there any settings I can and should do to restrict access further? I
have blocked port 22 in the firewall for the time being. Can I set up a
shared private key or similar?

Many thanks

Richard



Relevant Pages

  • Re: Newbie Question; security logs
    ... I think IP firewall is blocking all unauthorized ... The Handbook's "Security" chapter is required reading, ... Use good passwords. ... use /etc/hosts.allow, and deny access ...
    (freebsd-newbies)
  • NETGEAR FVS318 Information Disclosure
    ... Passwords in plain text if the config is backed up. ... Netgear's FVS318 Firewall/VPN/Router stores Usernames and Passwords in ... ProSafe VPN Firewall provides business-class protection at a NAT ...
    (Bugtraq)
  • [VulnWatch] FVS318 Config stores usernames/passwds in plain text
    ... Netgear's FVS318 Firewall/VPN/Router stores Usernames and Passwords ... ProSafe VPN Firewall provides business-class protection at a NAT router ... The web interface includes a backup option to store your current config ...
    (VulnWatch)
  • Re: Viewability of shared folders ?
    ... BIOS passwords will only stop "amateurs"... ... Microsoft MVP - Windows Security ... >>firewall will keep attackers from the internet from accessing your ... > should not provide a route to the inner ring. ...
    (microsoft.public.win2000.security)
  • Re: How does FTP authenticate users?
    ... > I'm worried about a security issue. ... Are the usernames and passwords sent in ... > clear text to the server, or does it use some sort of CHAP mechanism to do ...
    (alt.os.linux.suse)