Hello again, Richard,

Oops. I forgot to mention that you'll also want to disable password
authentication:

# ------------ snip -------------
PasswordAuthentication no
PermitEmptyPasswords no
# ------------ snip -------------

Antonio

On Friday 02 May 2008, Richard Chapman wrote:
> Hi
> I don't now much about ssh - but I use it to connect to my centos server
> with nx. Normally - I only do this on our local network and have port 22
> disabled in the internet firewall.
> Recently - I was away from the office - and enabled port 22 on the
> firewall - so I could access the centos server remotely. I thought ssh
> had pretty good security - and nx uses a key to allow access.
>
> However - after only a day with port 22 enabled - I had some sort of
> attack reported by the firewall - and I had the following in my logwatch...
>
> --------------------- pam_unix Begin ------------------------
>
> smtp:
> Unknown Entries:
> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= :
> 155 Time(s) check pass; user unknown: 155 Time(s)
> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
> user=richard: 1 Time(s) bad username [!]: 1 Time(s)
> bad username[*]: 1 Time(s)
>
> sshd:
> Authentication Failures:
> unknown (60.12.1.158): 1581 Time(s)
> root (60.12.1.158): 82 Time(s)
> sshd (60.12.1.158): 4 Time(s)
> mysql (60.12.1.158): 3 Time(s)
> richard (60.12.1.158): 3 Time(s)
> gopher (60.12.1.158): 2 Time(s)
> halt (60.12.1.158): 2 Time(s)
> mail (60.12.1.158): 2 Time(s)
> mailnull (60.12.1.158): 2 Time(s)
> max (60.12.1.158): 2 Time(s)
> nfsnobody (60.12.1.158): 2 Time(s)
> nobody (60.12.1.158): 2 Time(s)
> postgres (60.12.1.158): 2 Time(s)
> squid (60.12.1.158): 2 Time(s)
> adm (60.12.1.158): 1 Time(s)
> ais (60.12.1.158): 1 Time(s)
> apache (60.12.1.158): 1 Time(s)
> bin (60.12.1.158): 1 Time(s)
> daemon (60.12.1.158): 1 Time(s)
> ftp (60.12.1.158): 1 Time(s)
> games (60.12.1.158): 1 Time(s)
> gdm (60.12.1.158): 1 Time(s)
> haldaemon (60.12.1.158): 1 Time(s)
> lp (60.12.1.158): 1 Time(s)
> named (60.12.1.158): 1 Time(s)
> news (60.12.1.158): 1 Time(s)
> nscd (60.12.1.158): 1 Time(s)
> ntp (60.12.1.158): 1 Time(s)
> nut (60.12.1.158): 1 Time(s)
> operator (60.12.1.158): 1 Time(s)
> pcap (60.12.1.158): 1 Time(s)
> piranha (60.12.1.158): 1 Time(s)
> postfix (60.12.1.158): 1 Time(s)
> rpc (60.12.1.158): 1 Time(s)
> rpcuser (60.12.1.158): 1 Time(s)
> rpm (60.12.1.158): 1 Time(s)
> shutdown (60.12.1.158): 1 Time(s)
> smmsp (60.12.1.158): 1 Time(s)
> sync (60.12.1.158): 1 Time(s)
> tim (60.12.1.158): 1 Time(s)
> uucp (60.12.1.158): 1 Time(s)
> webalizer (60.12.1.158): 1 Time(s)
> Invalid Users:
> Unknown Account: 1581 Time(s)
>
>
> Can anyone tell me what is going on here. It looks like someone is
> trying to find usernames by just testing a list. They appear to have
> found 3 of our usernames - but hopefully not the passwords.
>
>
> How much of a security issue is this? If they did guess a password -
> would they have full shell access? If so - how is this any better than
> (say) telnet?
>
> Are there any settings I can and should do to restrict access further? I
> have blocked port 22 in the firewall for the time being. Can I set up a
> shared private key or similar?
>
> Many thanks
>
> Richard