Re: ssh security question



Thanks Evan and many others

I really appreciate your advice.

The article you referred me to assumes that both client and server are unix boxes. In my case - the client is a windows client and the ssh is embedded into the windows nx client. Is there any reason I can't run ssh-keygen on the server and copy the private key to the client - and the public key to the "authorised" directory? Not sure where I would copy the ssh private key to in this case though...?

I am a bit confused about keys with nx and ssh. Nx has a a private DSA key in the nx client - which I think I generated on the server. If I don't have this on the client - nx cannot connect. I always assumed this was an ssh key. But when I set the "passwordauthentication no" nx can't connect. Also - I don't have a ~/.ssh/authorized_keys file on the server - so it looks like ssh key sharing is not set up.... As I say - I am confused. Do you know whether nx has its own key - independent of ssh?

Regards

Richard




Stawnyczy, Evan wrote:
Hi

They were doing a simple dictionary attack using common usernames and it
is likely they have a brute force password tool as well.

How much of a security issue is this? If they did guess a password -
would they have
full shell access? If so - how is this any better than
(say) telnet?
SSH is encrypted, so all traffic is encrypted... ALL traffic is
encrypted, under telnet NO TRAFFIC is encrypted. So a simple packet
sniffer can catch your passwords, and it would make it trivial to log in
to your system. This also depends on the accounts they discovered, if
the account they found has no shell associated with it, or is "nologon"
then they can't do any damage... However if they do have shell access,
they would have whatever that user's access is.

Are there any settings I can and should do to restrict access further?
I have blocked
port 22 in the firewall for the time being. Can I set up a shared
private key or
similar?

Your best bet is to ensure your passwords are not easy to crack, I use
passwords that are a mixture of upper case, lowercase, spaces and
special characters - this makes it very difficult to brute force. The other thing you should do is ensure root cannot login remotely, and
to ensure that sudo access is limited to your most secure user.

You can set up a shared private key, there is instruction here if you
need it:
http://gentoo-wiki.com/SECURITY_SSH_without_a_password
Regards,
Evan Stawnyczy
Information Security Specialist (UNIX) | CIBC Enterprise Information
Security

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Richard Chapman
Sent: Friday, May 02, 2008 9:55 AM
To: secureshell@xxxxxxxxxxxxxxxxx
Subject: ssh security question

Hi
I don't now much about ssh - but I use it to connect to my centos server
with nx. Normally - I only do this on our local network and have port 22
disabled in the internet firewall.
Recently - I was away from the office - and enabled port 22 on the
firewall - so I could access the centos server remotely. I thought ssh
had pretty good security - and nx uses a key to allow access.

However - after only a day with port 22 enabled - I had some sort of
attack reported by the firewall - and I had the following in my
logwatch...

--------------------- pam_unix Begin ------------------------

smtp:
Unknown Entries:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
: 155 Time(s)
check pass; user unknown: 155 Time(s)
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=richard: 1 Time(s)
bad username [!]: 1 Time(s)
bad username [*]: 1 Time(s)
sshd:
Authentication Failures:
unknown (60.12.1.158): 1581 Time(s)
root (60.12.1.158): 82 Time(s)
sshd (60.12.1.158): 4 Time(s)
mysql (60.12.1.158): 3 Time(s)
richard (60.12.1.158): 3 Time(s)
gopher (60.12.1.158): 2 Time(s)
halt (60.12.1.158): 2 Time(s)
mail (60.12.1.158): 2 Time(s)
mailnull (60.12.1.158): 2 Time(s)
max (60.12.1.158): 2 Time(s)
nfsnobody (60.12.1.158): 2 Time(s)
nobody (60.12.1.158): 2 Time(s)
postgres (60.12.1.158): 2 Time(s)
squid (60.12.1.158): 2 Time(s)
adm (60.12.1.158): 1 Time(s)
ais (60.12.1.158): 1 Time(s)
apache (60.12.1.158): 1 Time(s)
bin (60.12.1.158): 1 Time(s)
daemon (60.12.1.158): 1 Time(s)
ftp (60.12.1.158): 1 Time(s)
games (60.12.1.158): 1 Time(s)
gdm (60.12.1.158): 1 Time(s)
haldaemon (60.12.1.158): 1 Time(s)
lp (60.12.1.158): 1 Time(s)
named (60.12.1.158): 1 Time(s)
news (60.12.1.158): 1 Time(s)
nscd (60.12.1.158): 1 Time(s)
ntp (60.12.1.158): 1 Time(s)
nut (60.12.1.158): 1 Time(s)
operator (60.12.1.158): 1 Time(s)
pcap (60.12.1.158): 1 Time(s)
piranha (60.12.1.158): 1 Time(s)
postfix (60.12.1.158): 1 Time(s)
rpc (60.12.1.158): 1 Time(s)
rpcuser (60.12.1.158): 1 Time(s)
rpm (60.12.1.158): 1 Time(s)
shutdown (60.12.1.158): 1 Time(s)
smmsp (60.12.1.158): 1 Time(s)
sync (60.12.1.158): 1 Time(s)
tim (60.12.1.158): 1 Time(s)
uucp (60.12.1.158): 1 Time(s)
webalizer (60.12.1.158): 1 Time(s)
Invalid Users:
Unknown Account: 1581 Time(s)


Can anyone tell me what is going on here. It looks like someone is
trying to find usernames by just testing a list. They appear to have
found 3 of our usernames - but hopefully not the passwords.


How much of a security issue is this? If they did guess a password -
would they have full shell access? If so - how is this any better than
(say) telnet?

Are there any settings I can and should do to restrict access further? I
have blocked port 22 in the firewall for the time being. Can I set up a
shared private key or similar?

Many thanks

Richard








Relevant Pages

  • Re: Explanation of SSH
    ... I am still unclear on how SSH works exactly. ... Client issues SSH command and names server ... "Shopper" says "server sends back its public host and server keys ... Surely there is only one public key it sends ...
    (comp.security.ssh)
  • Re: Trouble with X11 over SSH on Mandriva 2010.0
    ... If next clean install/update causes ssh to break, ... installed the sshd daemon/service package (OpenSSH Server) on the server. ... correct values for client and server. ...
    (comp.os.linux.networking)
  • Re: Publishing a SSH Server
    ... Your unix box cannot reply to SSH request, ... Create a client address set for your unix box (ip address from to are the ... Jim Harrison [ISA SE] ... In that case the server is a SecureNET client but still it doesn't work.... ...
    (microsoft.public.isa.publishing)
  • Re: FC6 VPN
    ... Then you can run any application you would like off the server by simply running it, or if you want to run a whole session, use gnomesession. ... ssh client that supports X forwarding, which is want you want to be looking at. ... SSH allows you to forward any local port to any remote port. ... If you need to connect to, say a windows share, you would forward your local port to the linux server through the ssh tunnel. ...
    (Fedora)
  • Re: request for comments : slush
    ... You then connect back out via SSH client, ... web client or mail client on that server? ... has your passwords, and uses the same password you used for one to break ... that full session encryption is an unacceptable load, ...
    (comp.security.ssh)