---------------------- Forwarded by Dan Mitton/YD/RWDOE on 05/02/2008
10:16 AM ---------------------------

To: Richard Chapman
cc: secureshell@securityfocus.com
Subject: Re: ssh security question
LSN: Not Relevant
User Filed as: Not a Record

Richard,

I'm no expert, but I have a few thoughts. I help my sister-in-law run a
little web business and I have seen the same kinds of attacks. Some
things you might consider...

Have your firewall only accept connections from specific IP and/or MAC
addresses (or ranges). This of course assumes you know what your remote
IP and/or MAC addresses are.

See if you can disable all ssh authentication methods except
"PubkeyAuthentication" and use keys to authenticate. That way, without a
key, a hacker can never have a valid password. You might even run two
different sshd daemons (listening on different ports) with different
configs, one for internal & one for external (if for instance, you still
want to use passwords or something internally).

When you do the port mapping on your firewall, rather then mapping
external port 22 to internal port 22, try using strange ports. Maybe map
external port 60123 to internal port 22. I hacker might still find it,
but most might miss it. This of course assumes that you can tell your
remote ssh client to use the different port number.

Consider using a VPN firewall /software and doing a VPN connection before
doing the ssh. Of course, this means you need VPN software, at least on
the remote client, and need to open the VPN port to the world.

Be sure that "PermitRootLogin no". You can always log in as a normal user

and then 'su' if needed.

Set "MaxAuthTries" to something low, like 1 or 2. This will not stop
anything, but they would have to keep reconnecting after 1 or 2 failures.
Might slow them down a little.

Consider using "AllowGroups" and/or "AllowUsers" so that only very
specific usernames can use ssh.

I too, would be very interested in what more "expert" people might be able

to suggest.

Dan



Sent by: listbounce@securityfocus.com
To: secureshell@securityfocus.com
cc: (bcc: Dan Mitton/YD/RWDOE)
Subject: ssh security question
LSN: Not Relevant
User Filed as: Not a Record

Hi
I don't now much about ssh - but I use it to connect to my centos server
with nx. Normally - I only do this on our local network and have port 22
disabled in the internet firewall.
Recently - I was away from the office - and enabled port 22 on the
firewall - so I could access the centos server remotely. I thought ssh
had pretty good security - and nx uses a key to allow access.

However - after only a day with port 22 enabled - I had some sort of
attack reported by the firewall - and I had the following in my
logwatch...

--------------------- pam_unix Begin ------------------------

smtp:
Unknown Entries:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= :
155 Time(s)
check pass; user unknown: 155 Time(s)
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=richard: 1 Time(s)
bad username [!]: 1 Time(s)
bad username[*]: 1 Time(s)

sshd:
Authentication Failures:
unknown (60.12.1.158): 1581 Time(s)
root (60.12.1.158): 82 Time(s)
sshd (60.12.1.158): 4 Time(s)
mysql (60.12.1.158): 3 Time(s)
richard (60.12.1.158): 3 Time(s)
gopher (60.12.1.158): 2 Time(s)
halt (60.12.1.158): 2 Time(s)
mail (60.12.1.158): 2 Time(s)
mailnull (60.12.1.158): 2 Time(s)
max (60.12.1.158): 2 Time(s)
nfsnobody (60.12.1.158): 2 Time(s)
nobody (60.12.1.158): 2 Time(s)
postgres (60.12.1.158): 2 Time(s)
squid (60.12.1.158): 2 Time(s)
adm (60.12.1.158): 1 Time(s)
ais (60.12.1.158): 1 Time(s)
apache (60.12.1.158): 1 Time(s)
bin (60.12.1.158): 1 Time(s)
daemon (60.12.1.158): 1 Time(s)
ftp (60.12.1.158): 1 Time(s)
games (60.12.1.158): 1 Time(s)
gdm (60.12.1.158): 1 Time(s)
haldaemon (60.12.1.158): 1 Time(s)
lp (60.12.1.158): 1 Time(s)
named (60.12.1.158): 1 Time(s)
news (60.12.1.158): 1 Time(s)
nscd (60.12.1.158): 1 Time(s)
ntp (60.12.1.158): 1 Time(s)
nut (60.12.1.158): 1 Time(s)
operator (60.12.1.158): 1 Time(s)
pcap (60.12.1.158): 1 Time(s)
piranha (60.12.1.158): 1 Time(s)
postfix (60.12.1.158): 1 Time(s)
rpc (60.12.1.158): 1 Time(s)
rpcuser (60.12.1.158): 1 Time(s)
rpm (60.12.1.158): 1 Time(s)
shutdown (60.12.1.158): 1 Time(s)
smmsp (60.12.1.158): 1 Time(s)
sync (60.12.1.158): 1 Time(s)
tim (60.12.1.158): 1 Time(s)
uucp (60.12.1.158): 1 Time(s)
webalizer (60.12.1.158): 1 Time(s)
Invalid Users:
Unknown Account: 1581 Time(s)


Can anyone tell me what is going on here. It looks like someone is
trying to find usernames by just testing a list. They appear to have
found 3 of our usernames - but hopefully not the passwords.


How much of a security issue is this? If they did guess a password -
would they have full shell access? If so - how is this any better than
(say) telnet?

Are there any settings I can and should do to restrict access further? I
have blocked port 22 in the firewall for the time being. Can I set up a
shared private key or similar?

Many thanks

Richard