Koozali.org: home of the SME Server
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. Experienced User Forum
  4. Topic: SSH Access
« previous next »
Pages: [1]   Go Down

SSH Access

  • 4 Replies
  • 1680 Views

Offline calisun

  • *
  • 620
  • +0/-1
SSH Access
« on: February 03, 2006, 07:36:06 PM »
Right now in SME when you allow SSH access, all regular users have SSH access.
Is there a way to  select which users get SSH access?

I only have a select few users that need SSH access. Other users don't need SSH access, and I don't want it to become security issue.

Looking at my SSH access log files, it is scarry. I don't want SSH to be my security problem, but I need it enabled.  Look at my log from yesterday (same thing every day):



--------------------- SSHD Begin ------------------------


Failed logins from these:
   a/password from 72.20.71.117: 1 Time(s)
   aa/password from 72.20.71.117: 1 Time(s)
   adm/password from 218.24.139.109: 8 Time(s)
   admin/password from 171.64.117.78: 2 Time(s)
   admin/password from 216.75.15.209: 2 Time(s)
   admin/password from 72.20.71.117: 1 Time(s)
   admin/password from 84.37.11.40: 6 Time(s)
   admin2/password from 84.37.11.40: 2 Time(s)
   administrator/password from 72.20.71.117: 1 Time(s)
   affection/password from 72.20.71.117: 1 Time(s)
   alexander/password from 72.20.71.117: 1 Time(s)
   alexandre/password from 72.20.71.117: 1 Time(s)
   alin/password from 72.20.71.117: 1 Time(s)
   angel/password from 72.20.71.117: 1 Time(s)
   b/password from 72.20.71.117: 1 Time(s)
   bb/password from 72.20.71.117: 1 Time(s)
   beast/password from 72.20.71.117: 1 Time(s)
   bianca/password from 72.20.71.117: 1 Time(s)
   bill/password from 72.20.71.117: 1 Time(s)
   bind/password from 72.20.71.117: 1 Time(s)
   c/password from 72.20.71.117: 1 Time(s)
   candy/password from 72.20.71.117: 1 Time(s)
   cc/password from 72.20.71.117: 1 Time(s)
   chat/password from 72.20.71.117: 1 Time(s)
   com/password from 72.20.71.117: 1 Time(s)
   cristian/password from 72.20.71.117: 1 Time(s)
   d/password from 72.20.71.117: 1 Time(s)
   dark/password from 72.20.71.117: 1 Time(s)
   dcc/password from 72.20.71.117: 1 Time(s)
   dd/password from 72.20.71.117: 1 Time(s)
   document/password from 72.20.71.117: 1 Time(s)
   e/password from 72.20.71.117: 1 Time(s)
   edu/password from 72.20.71.117: 1 Time(s)
   ee/password from 72.20.71.117: 1 Time(s)
   english/password from 72.20.71.117: 1 Time(s)
   f/password from 72.20.71.117: 1 Time(s)
   fast/password from 72.20.71.117: 1 Time(s)
   fbi/password from 72.20.71.117: 1 Time(s)
   ff/password from 72.20.71.117: 1 Time(s)
   flood/password from 72.20.71.117: 1 Time(s)
   frequency/password from 72.20.71.117: 1 Time(s)
   ftp/password from 72.20.71.117: 1 Time(s)
   furious/password from 72.20.71.117: 1 Time(s)
   g/password from 72.20.71.117: 1 Time(s)
   gates/password from 72.20.71.117: 1 Time(s)
   gg/password from 72.20.71.117: 1 Time(s)
   gregorian/password from 72.20.71.117: 1 Time(s)
   guest/password from 216.75.15.209: 1 Time(s)
   guest/password from 72.20.71.117: 1 Time(s)
   h/password from 72.20.71.117: 1 Time(s)
   hate/password from 72.20.71.117: 1 Time(s)
   hh/password from 72.20.71.117: 1 Time(s)
   i/password from 72.20.71.117: 1 Time(s)
   ii/password from 72.20.71.117: 1 Time(s)
   invite/password from 72.20.71.117: 1 Time(s)
   j/password from 72.20.71.117: 1 Time(s)
   jj/password from 72.20.71.117: 1 Time(s)
   joe/password from 72.20.71.117: 1 Time(s)
   john/password from 72.20.71.117: 1 Time(s)
   k/password from 72.20.71.117: 1 Time(s)
   kk/password from 72.20.71.117: 1 Time(s)
   l/password from 72.20.71.117: 1 Time(s)
   larisa/password from 72.20.71.117: 1 Time(s)
   ll/password from 72.20.71.117: 1 Time(s)
   login/password from 72.20.71.117: 1 Time(s)
   love/password from 72.20.71.117: 2 Time(s)
   m/password from 72.20.71.117: 1 Time(s)
   mail/password from 72.20.71.117: 2 Time(s)
   master/password from 72.20.71.117: 1 Time(s)
   michael/password from 72.20.71.117: 1 Time(s)
   microsoft/password from 72.20.71.117: 1 Time(s)
   mike/password from 72.20.71.117: 1 Time(s)
   mm/password from 72.20.71.117: 1 Time(s)
   moment/password from 72.20.71.117: 1 Time(s)
   music/password from 72.20.71.117: 1 Time(s)
   n/password from 72.20.71.117: 1 Time(s)
   nasa/password from 72.20.71.117: 1 Time(s)
   natural/password from 72.20.71.117: 1 Time(s)
   nero/password from 72.20.71.117: 1 Time(s)
   next/password from 72.20.71.117: 1 Time(s)
   nice/password from 72.20.71.117: 1 Time(s)
   nn/password from 72.20.71.117: 1 Time(s)
   no/password from 72.20.71.117: 1 Time(s)
   nokia/password from 72.20.71.117: 1 Time(s)
   o/password from 72.20.71.117: 1 Time(s)
   oo/password from 72.20.71.117: 1 Time(s)
   operator/password from 72.20.71.117: 1 Time(s)
   original/password from 72.20.71.117: 1 Time(s)
   p/password from 72.20.71.117: 1 Time(s)
   paul/password from 72.20.71.117: 1 Time(s)
   peace/password from 72.20.71.117: 1 Time(s)
   php/password from 72.20.71.117: 1 Time(s)
   play/password from 72.20.71.117: 1 Time(s)
   pp/password from 72.20.71.117: 1 Time(s)
   president/password from 72.20.71.117: 1 Time(s)
   prueba/password from 72.20.71.117: 2 Time(s)
   q/password from 72.20.71.117: 1 Time(s)
   qq/password from 72.20.71.117: 1 Time(s)
   r/password from 72.20.71.117: 1 Time(s)
   ready/password from 72.20.71.117: 1 Time(s)
   rich/password from 72.20.71.117: 1 Time(s)
   root/password from 216.75.15.209: 3 Time(s)
   root/password from 72.20.71.117: 25 Time(s)
   rr/password from 72.20.71.117: 1 Time(s)
   s/password from 72.20.71.117: 1 Time(s)
   samsung/password from 72.20.71.117: 1 Time(s)
   scp/password from 72.20.71.117: 1 Time(s)
   sean/password from 72.20.71.117: 1 Time(s)
   seanpaul/password from 72.20.71.117: 1 Time(s)
   sgi/password from 72.20.71.117: 1 Time(s)
   sharon/password from 72.20.71.117: 1 Time(s)
   shop/password from 72.20.71.117: 1 Time(s)
   silence/password from 72.20.71.117: 1 Time(s)
   smart/password from 72.20.71.117: 1 Time(s)
   sony/password from 72.20.71.117: 1 Time(s)
   ss/password from 72.20.71.117: 1 Time(s)
   start/password from 72.20.71.117: 1 Time(s)
   su/password from 72.20.71.117: 1 Time(s)
   sugar/password from 72.20.71.117: 1 Time(s)
   t/password from 72.20.71.117: 1 Time(s)
   test/password from 202.108.13.91: 1 Time(s)
   test/password from 216.75.15.209: 2 Time(s)
   test/password from 72.20.71.117: 8 Time(s)
   text/password from 72.20.71.117: 1 Time(s)
   thebeast/password from 72.20.71.117: 1 Time(s)
   tom/password from 72.20.71.117: 1 Time(s)
   transfer/password from 72.20.71.117: 1 Time(s)
   tt/password from 72.20.71.117: 1 Time(s)
   u/password from 72.20.71.117: 1 Time(s)
   user/password from 216.75.15.209: 1 Time(s)
   user/password from 72.20.71.117: 1 Time(s)
   uu/password from 72.20.71.117: 1 Time(s)
   v/password from 72.20.71.117: 1 Time(s)
   victor/password from 72.20.71.117: 1 Time(s)
   vv/password from 72.20.71.117: 1 Time(s)
   w/password from 72.20.71.117: 1 Time(s)
   win/password from 72.20.71.117: 1 Time(s)
   winamp/password from 72.20.71.117: 1 Time(s)
   windows/password from 72.20.71.117: 1 Time(s)
   ww/password from 72.20.71.117: 1 Time(s)
   x/password from 72.20.71.117: 1 Time(s)
   xx/password from 72.20.71.117: 1 Time(s)
   y/password from 72.20.71.117: 1 Time(s)
   yy/password from 72.20.71.117: 1 Time(s)
   z/password from 72.20.71.117: 1 Time(s)
   zz/password from 72.20.71.117: 1 Time(s)
Logged
SME user and community member since 2005.
Want to install Wordpress in iBay of SME Server?
See my step-by-step How-To wiki here:
http://wiki.contribs.org/Wordpress_Multisite

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: SSH Access
« Reply #1 on: February 03, 2006, 08:42:08 PM »
Quote from: "calisun"
Right now in SME when you allow SSH access, all regular users have SSH access.


Yes and no. They have SSH access, but it's not actually usable unless they have had their shell changed. Try it.

Quote

Is there a way to  select which users get SSH access?


Only users who have had their shell changed (e.g. to /bin/bash) will be able to use SSH.

Quote

Looking at my SSH access log files, it is scarry.


That's the same for everybody.

Quote

I don't want SSH to be my security problem, but I need it enabled.


Don't enable password authentication. Educate yourself about RSA key authentication and then train your users (or set it up for them on a per user basis).
Logged

osiris9510

SSH Access
« Reply #2 on: February 03, 2006, 08:43:06 PM »
Select "Allow SSH only from Local Networks"

Then, under Local Networks, put each IP address in that you want to let access ssh, and use 255.255.255.255 as the subnet mask. It will treat each IP address as a network, but that network is limited to that particular machine because of that subnet mask.
Logged

Offline calisun

  • *
  • 620
  • +0/-1
SSH Access
« Reply #3 on: February 04, 2006, 02:22:22 AM »
Thanks osiris9510, I was also thinking of that, but the problem is that my remote users don't have a static IP's

Charlie, thanks for the RSA key authentication tip. Do you have a favorite site  where to learn more about RSA or should I just google it?
Logged
SME user and community member since 2005.
Want to install Wordpress in iBay of SME Server?
See my step-by-step How-To wiki here:
http://wiki.contribs.org/Wordpress_Multisite

Offline william_syd

  • *****
  • 1,608
  • +0/-0
  • Nothing to see here.
    • http://www.magicwilly.info
SSH Access
« Reply #4 on: February 04, 2006, 06:34:01 AM »
Quote from: "calisun"

Charlie, thanks for the RSA key authentication tip. Do you have a favorite site  where to learn more about RSA or should I just google it?


Try http://www.wellsi.com/sme/ssh/ssh.html
Logged
Regards,
William

IF I give advise.. It's only if it was me....
Pages: [1]   Go Up
« previous next »
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. Experienced User Forum
  4. Topic: SSH Access