Thanks Evan and many others

I really appreciate your advice.

The article you referred me to assumes that both client and server are
unix boxes. In my case - the client is a windows client and the ssh is
embedded into the windows nx client. Is there any reason I can't run
ssh-keygen on the server and copy the private key to the client - and
the public key to the "authorised" directory? Not sure where I would
copy the ssh private key to in this case though...?

I am a bit confused about keys with nx and ssh. Nx has a a private DSA
key in the nx client - which I think I generated on the server. If I
don't have this on the client - nx cannot connect. I always assumed this
was an ssh key. But when I set the "passwordauthentication no" nx can't
connect. Also - I don't have a ~/.ssh/authorized_keys file on the server
- so it looks like ssh key sharing is not set up.... As I say - I am
confused. Do you know whether nx has its own key - independent of ssh?

Regards

Richard




Stawnyczy, Evan wrote:
> Hi
>
> They were doing a simple dictionary attack using common usernames and it
> is likely they have a brute force password tool as well.
>
>
>> How much of a security issue is this? If they did guess a password -
>>

> would they have
>
>> full shell access? If so - how is this any better than
>> (say) telnet?
>>

> SSH is encrypted, so all traffic is encrypted... ALL traffic is
> encrypted, under telnet NO TRAFFIC is encrypted. So a simple packet
> sniffer can catch your passwords, and it would make it trivial to log in
> to your system. This also depends on the accounts they discovered, if
> the account they found has no shell associated with it, or is "nologon"
> then they can't do any damage... However if they do have shell access,
> they would have whatever that user's access is.
>
>
>> Are there any settings I can and should do to restrict access further?
>>

> I have blocked
>
>> port 22 in the firewall for the time being. Can I set up a shared
>>

> private key or
>
>> similar?
>>

>
> Your best bet is to ensure your passwords are not easy to crack, I use
> passwords that are a mixture of upper case, lowercase, spaces and
> special characters - this makes it very difficult to brute force.
> The other thing you should do is ensure root cannot login remotely, and
> to ensure that sudo access is limited to your most secure user.
>
> You can set up a shared private key, there is instruction here if you
> need it:
> http://gentoo-wiki.com/SECURITY_SSH_without_a_password
>
> Regards,
> Evan Stawnyczy
> Information Security Specialist (UNIX) | CIBC Enterprise Information
> Security
>
> -----Original Message-----
> From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
> On Behalf Of Richard Chapman
> Sent: Friday, May 02, 2008 9:55 AM
> To: secureshell@securityfocus.com
> Subject: ssh security question
>
> Hi
> I don't now much about ssh - but I use it to connect to my centos server
> with nx. Normally - I only do this on our local network and have port 22
> disabled in the internet firewall.
> Recently - I was away from the office - and enabled port 22 on the
> firewall - so I could access the centos server remotely. I thought ssh
> had pretty good security - and nx uses a key to allow access.
>
> However - after only a day with port 22 enabled - I had some sort of
> attack reported by the firewall - and I had the following in my
> logwatch...
>
> --------------------- pam_unix Begin ------------------------
>
> smtp:
> Unknown Entries:
> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
> : 155 Time(s)
> check pass; user unknown: 155 Time(s)
> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
> user=richard: 1 Time(s)
> bad username [!]: 1 Time(s)
> bad username[*]: 1 Time(s)
>
> sshd:
> Authentication Failures:
> unknown (60.12.1.158): 1581 Time(s)
> root (60.12.1.158): 82 Time(s)
> sshd (60.12.1.158): 4 Time(s)
> mysql (60.12.1.158): 3 Time(s)
> richard (60.12.1.158): 3 Time(s)
> gopher (60.12.1.158): 2 Time(s)
> halt (60.12.1.158): 2 Time(s)
> mail (60.12.1.158): 2 Time(s)
> mailnull (60.12.1.158): 2 Time(s)
> max (60.12.1.158): 2 Time(s)
> nfsnobody (60.12.1.158): 2 Time(s)
> nobody (60.12.1.158): 2 Time(s)
> postgres (60.12.1.158): 2 Time(s)
> squid (60.12.1.158): 2 Time(s)
> adm (60.12.1.158): 1 Time(s)
> ais (60.12.1.158): 1 Time(s)
> apache (60.12.1.158): 1 Time(s)
> bin (60.12.1.158): 1 Time(s)
> daemon (60.12.1.158): 1 Time(s)
> ftp (60.12.1.158): 1 Time(s)
> games (60.12.1.158): 1 Time(s)
> gdm (60.12.1.158): 1 Time(s)
> haldaemon (60.12.1.158): 1 Time(s)
> lp (60.12.1.158): 1 Time(s)
> named (60.12.1.158): 1 Time(s)
> news (60.12.1.158): 1 Time(s)
> nscd (60.12.1.158): 1 Time(s)
> ntp (60.12.1.158): 1 Time(s)
> nut (60.12.1.158): 1 Time(s)
> operator (60.12.1.158): 1 Time(s)
> pcap (60.12.1.158): 1 Time(s)
> piranha (60.12.1.158): 1 Time(s)
> postfix (60.12.1.158): 1 Time(s)
> rpc (60.12.1.158): 1 Time(s)
> rpcuser (60.12.1.158): 1 Time(s)
> rpm (60.12.1.158): 1 Time(s)
> shutdown (60.12.1.158): 1 Time(s)
> smmsp (60.12.1.158): 1 Time(s)
> sync (60.12.1.158): 1 Time(s)
> tim (60.12.1.158): 1 Time(s)
> uucp (60.12.1.158): 1 Time(s)
> webalizer (60.12.1.158): 1 Time(s)
> Invalid Users:
> Unknown Account: 1581 Time(s)
>
>
> Can anyone tell me what is going on here. It looks like someone is
> trying to find usernames by just testing a list. They appear to have
> found 3 of our usernames - but hopefully not the passwords.
>
>
> How much of a security issue is this? If they did guess a password -
> would they have full shell access? If so - how is this any better than
> (say) telnet?
>
> Are there any settings I can and should do to restrict access further? I
> have blocked port 22 in the firewall for the time being. Can I set up a
> shared private key or similar?
>
> Many thanks
>
> Richard
>
>
>
>
>
>