Richard,
Someone is attempting to use a dictionary or brute-force attack
against your SSH server.

I use DenyHosts to thwart such nefarious activity.

You can check it out here: http://denyhosts.sourceforge.net/

It's relatively simple to setup and I believe that there's a CentOS
package for it (yum search denyhosts).

Have a great day.

- tim

On May 2, 2008, at 8:55 AM, Richard Chapman wrote:

> Hi
> I don't now much about ssh - but I use it to connect to my centos
> server with nx. Normally - I only do this on our local network and
> have port 22 disabled in the internet firewall.
> Recently - I was away from the office - and enabled port 22 on the
> firewall - so I could access the centos server remotely. I thought
> ssh had pretty good security - and nx uses a key to allow access.
>
> However - after only a day with port 22 enabled - I had some sort of
> attack reported by the firewall - and I had the following in my
> logwatch...
>
> --------------------- pam_unix Begin ------------------------
> smtp:
> Unknown Entries:
> authentication failure; logname= uid=0 euid=0 tty= ruser=
> rhost= : 155 Time(s)
> check pass; user unknown: 155 Time(s)
> authentication failure; logname= uid=0 euid=0 tty= ruser=
> rhost= user=richard: 1 Time(s)
> bad username [!]: 1 Time(s)
> bad username [*]: 1 Time(s)
> sshd:
> Authentication Failures:
> unknown (60.12.1.158): 1581 Time(s)
> root (60.12.1.158): 82 Time(s)
> sshd (60.12.1.158): 4 Time(s)
> mysql (60.12.1.158): 3 Time(s)
> richard (60.12.1.158): 3 Time(s)
> gopher (60.12.1.158): 2 Time(s)
> halt (60.12.1.158): 2 Time(s)
> mail (60.12.1.158): 2 Time(s)
> mailnull (60.12.1.158): 2 Time(s)
> max (60.12.1.158): 2 Time(s)
> nfsnobody (60.12.1.158): 2 Time(s)
> nobody (60.12.1.158): 2 Time(s)
> postgres (60.12.1.158): 2 Time(s)
> squid (60.12.1.158): 2 Time(s)
> adm (60.12.1.158): 1 Time(s)
> ais (60.12.1.158): 1 Time(s)
> apache (60.12.1.158): 1 Time(s)
> bin (60.12.1.158): 1 Time(s)
> daemon (60.12.1.158): 1 Time(s)
> ftp (60.12.1.158): 1 Time(s)
> games (60.12.1.158): 1 Time(s)
> gdm (60.12.1.158): 1 Time(s)
> haldaemon (60.12.1.158): 1 Time(s)
> lp (60.12.1.158): 1 Time(s)
> named (60.12.1.158): 1 Time(s)
> news (60.12.1.158): 1 Time(s)
> nscd (60.12.1.158): 1 Time(s)
> ntp (60.12.1.158): 1 Time(s)
> nut (60.12.1.158): 1 Time(s)
> operator (60.12.1.158): 1 Time(s)
> pcap (60.12.1.158): 1 Time(s)
> piranha (60.12.1.158): 1 Time(s)
> postfix (60.12.1.158): 1 Time(s)
> rpc (60.12.1.158): 1 Time(s)
> rpcuser (60.12.1.158): 1 Time(s)
> rpm (60.12.1.158): 1 Time(s)
> shutdown (60.12.1.158): 1 Time(s)
> smmsp (60.12.1.158): 1 Time(s)
> sync (60.12.1.158): 1 Time(s)
> tim (60.12.1.158): 1 Time(s)
> uucp (60.12.1.158): 1 Time(s)
> webalizer (60.12.1.158): 1 Time(s)
> Invalid Users:
> Unknown Account: 1581 Time(s)
>
> Can anyone tell me what is going on here. It looks like someone is
> trying to find usernames by just testing a list. They appear to have
> found 3 of our usernames - but hopefully not the passwords.
>
>
> How much of a security issue is this? If they did guess a password -
> would they have full shell access? If so - how is this any better
> than (say) telnet?
>
> Are there any settings I can and should do to restrict access
> further? I have blocked port 22 in the firewall for the time being.
> Can I set up a shared private key or similar?
>
> Many thanks
>
> Richard
>
>
>
>

0? *?H?÷

 ?0?

10 +0? *?H?÷


 ?!0?Ú0?C 
N?»ÛCî,¬GÆd&³0
 *?H?÷


0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
080111211118Z
090110211118Z0B10UThawte Freemail Member10 *?H?÷


tshubitz (at) mac (dot) com0 [email concealed]?
"0
 *?H?÷



?
0?

?

ë?Xi?5-?a?]ãÌ \Ü»
?î¡ÔÁyÜL·??a3ÅSLF¹ÖÁ~7¥#ìií?P?ç_Ù?¾Î8Wñ4¬3mJ~µv4-Scw%ÏÞ?s ñÔºr¶<õ
`ì{Æ?òè©éÜ?ø)®Úï?
}®?l¦f5¤*¹Ê?
æEµì?
ÕÜ?Èp©l]ôøµ9øfÚlß9îdO?â6´ùe)?[Íôt£?ãpÒÂ|Øuÿ~îñ£LÞ_ç¼¢5(­Ý9DM®?6öÜúÿ!´ð÷©Ø&?`w¢Þ÷ÝÉè?4ºPXcZCF?â_xàtô[


£-0+0U0tshubitz (at) mac (dot) com0 [email concealed]U

ÿ00
 *?H?÷


o?Ö»mF¨´¡ãv}+Ü7Éx$5x
+;-T?ê))?çòÁe³¤?¹hF»???4|·Òþ:9Æz¶{
ËC?=t |ª?aì6ó9á?ä<Xò`¿¦?ç³¼ù]}Ä?Du`ÃRâUDhL\ÅåMVøõf0??0?¨ 


0
 *?H?÷


0Ñ10 UZA10UWestern Cape10U Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0) *?H?÷


personal-freemail (at) thawte (dot) com0 [email concealed]
030717000000Z
130716235959Z0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0?0
 *?H?÷



0?Ä¦<UsUûN¹Ê?ZhÀupßéÿ£ì½Íõ[òv½:aò¿QÎ
ÔåP
0×cZ,?p?ÝÉð+?Zª?qV˯<çñ?6$*Ï+Õó?w=¾+þ»>¿@?dק¦»?eÑÅ*T?H§¶Ñ<
a@dr`·û

£?0?0U

ÿ0

ÿ
0CU<0:08 6 4?2http://crl.tha
wte.com/ThawtePersonalFreemailCA.crl0U
0)U"0 ¤010UPrivateLabel2-1380
 *?H?÷


H?ÑP?ê.Ì
£f¬g¯¬¾Â¡C??L!¸ø6ª-?6/ÀôP ?p<ý­áabÃÙ:~?±?Å?t?%P?bÇÛ'qW%Ý©?9?? Oe_?Ú÷÷?ÖÆN®öê4å[5MwãV!x?Ü!5Þ$±ÓFÿ]_eO1?0?

0v0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAN?»ÛCî,¬GÆd&³0 + ?
o0 *?H?÷

1 *?H?÷


0 *?H?÷

1
080502163921Z0# *?H?÷

16i½?OÛõ~oZñ?!EFq.0? +

?71x0v0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAN?»ÛCî,¬GÆd&³0?*?H?÷

1x v0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAN?»ÛCî,¬GÆd&³0
 *?H?÷



?
?³ô±Í?Cº¾$ÌÅaØ¥$?iR?§¯-ÿA?ʪ}Û5[q7)~ÚJä}Km6¸ &?WS?Íz}J£¾»=
??-vßF?9t3?yNCì=xøg?ÅQ·c£pÀ0âx\:ã4``E?P[ jÝD?¿(§?Ub<-ôEÔ«?jÛ¤I÷è ÛÔEjHI|:{!öJY)ë:¹ÂVÓý-ÓÓ?sÑ*ÚÔÍ<+·??Ä®9?âü(
7?V?,GC/×?àåóÊ­?é?¶Ñ??ì'âk~?HÓôܪŹ¼?º3?äÇÙ6JÍ
H???ä?aø??Á·?ݦûÕ6Hã|ùñU

[ reply ]