Koozali.org: home of the SME Server

Legacy Forums => Experienced User Forum => Topic started by: calisun on February 03, 2006, 07:36:06 PM

Title: SSH Access
Post by: calisun on February 03, 2006, 07:36:06 PM

Right now in SME when you allow SSH access, all regular users have SSH access.
Is there a way to  select which users get SSH access?

I only have a select few users that need SSH access. Other users don't need SSH access, and I don't want it to become security issue.

Looking at my SSH access log files, it is scarry. I don't want SSH to be my security problem, but I need it enabled.  Look at my log from yesterday (same thing every day):



--------------------- SSHD Begin ------------------------


Failed logins from these:
   a/password from 72.20.71.117: 1 Time(s)
   aa/password from 72.20.71.117: 1 Time(s)
   adm/password from 218.24.139.109: 8 Time(s)
   admin/password from 171.64.117.78: 2 Time(s)
   admin/password from 216.75.15.209: 2 Time(s)
   admin/password from 72.20.71.117: 1 Time(s)
   admin/password from 84.37.11.40: 6 Time(s)
   admin2/password from 84.37.11.40: 2 Time(s)
   administrator/password from 72.20.71.117: 1 Time(s)
   affection/password from 72.20.71.117: 1 Time(s)
   alexander/password from 72.20.71.117: 1 Time(s)
   alexandre/password from 72.20.71.117: 1 Time(s)
   alin/password from 72.20.71.117: 1 Time(s)
   angel/password from 72.20.71.117: 1 Time(s)
   b/password from 72.20.71.117: 1 Time(s)
   bb/password from 72.20.71.117: 1 Time(s)
   beast/password from 72.20.71.117: 1 Time(s)
   bianca/password from 72.20.71.117: 1 Time(s)
   bill/password from 72.20.71.117: 1 Time(s)
   bind/password from 72.20.71.117: 1 Time(s)
   c/password from 72.20.71.117: 1 Time(s)
   candy/password from 72.20.71.117: 1 Time(s)
   cc/password from 72.20.71.117: 1 Time(s)
   chat/password from 72.20.71.117: 1 Time(s)
   com/password from 72.20.71.117: 1 Time(s)
   cristian/password from 72.20.71.117: 1 Time(s)
   d/password from 72.20.71.117: 1 Time(s)
   dark/password from 72.20.71.117: 1 Time(s)
   dcc/password from 72.20.71.117: 1 Time(s)
   dd/password from 72.20.71.117: 1 Time(s)
   document/password from 72.20.71.117: 1 Time(s)
   e/password from 72.20.71.117: 1 Time(s)
   edu/password from 72.20.71.117: 1 Time(s)
   ee/password from 72.20.71.117: 1 Time(s)
   english/password from 72.20.71.117: 1 Time(s)
   f/password from 72.20.71.117: 1 Time(s)
   fast/password from 72.20.71.117: 1 Time(s)
   fbi/password from 72.20.71.117: 1 Time(s)
   ff/password from 72.20.71.117: 1 Time(s)
   flood/password from 72.20.71.117: 1 Time(s)
   frequency/password from 72.20.71.117: 1 Time(s)
   ftp/password from 72.20.71.117: 1 Time(s)
   furious/password from 72.20.71.117: 1 Time(s)
   g/password from 72.20.71.117: 1 Time(s)
   gates/password from 72.20.71.117: 1 Time(s)
   gg/password from 72.20.71.117: 1 Time(s)
   gregorian/password from 72.20.71.117: 1 Time(s)
   guest/password from 216.75.15.209: 1 Time(s)
   guest/password from 72.20.71.117: 1 Time(s)
   h/password from 72.20.71.117: 1 Time(s)
   hate/password from 72.20.71.117: 1 Time(s)
   hh/password from 72.20.71.117: 1 Time(s)
   i/password from 72.20.71.117: 1 Time(s)
   ii/password from 72.20.71.117: 1 Time(s)
   invite/password from 72.20.71.117: 1 Time(s)
   j/password from 72.20.71.117: 1 Time(s)
   jj/password from 72.20.71.117: 1 Time(s)
   joe/password from 72.20.71.117: 1 Time(s)
   john/password from 72.20.71.117: 1 Time(s)
   k/password from 72.20.71.117: 1 Time(s)
   kk/password from 72.20.71.117: 1 Time(s)
   l/password from 72.20.71.117: 1 Time(s)
   larisa/password from 72.20.71.117: 1 Time(s)
   ll/password from 72.20.71.117: 1 Time(s)
   login/password from 72.20.71.117: 1 Time(s)
   love/password from 72.20.71.117: 2 Time(s)
   m/password from 72.20.71.117: 1 Time(s)
   mail/password from 72.20.71.117: 2 Time(s)
   master/password from 72.20.71.117: 1 Time(s)
   michael/password from 72.20.71.117: 1 Time(s)
   microsoft/password from 72.20.71.117: 1 Time(s)
   mike/password from 72.20.71.117: 1 Time(s)
   mm/password from 72.20.71.117: 1 Time(s)
   moment/password from 72.20.71.117: 1 Time(s)
   music/password from 72.20.71.117: 1 Time(s)
   n/password from 72.20.71.117: 1 Time(s)
   nasa/password from 72.20.71.117: 1 Time(s)
   natural/password from 72.20.71.117: 1 Time(s)
   nero/password from 72.20.71.117: 1 Time(s)
   next/password from 72.20.71.117: 1 Time(s)
   nice/password from 72.20.71.117: 1 Time(s)
   nn/password from 72.20.71.117: 1 Time(s)
   no/password from 72.20.71.117: 1 Time(s)
   nokia/password from 72.20.71.117: 1 Time(s)
   o/password from 72.20.71.117: 1 Time(s)
   oo/password from 72.20.71.117: 1 Time(s)
   operator/password from 72.20.71.117: 1 Time(s)
   original/password from 72.20.71.117: 1 Time(s)
   p/password from 72.20.71.117: 1 Time(s)
   paul/password from 72.20.71.117: 1 Time(s)
   peace/password from 72.20.71.117: 1 Time(s)
   php/password from 72.20.71.117: 1 Time(s)
   play/password from 72.20.71.117: 1 Time(s)
   pp/password from 72.20.71.117: 1 Time(s)
   president/password from 72.20.71.117: 1 Time(s)
   prueba/password from 72.20.71.117: 2 Time(s)
   q/password from 72.20.71.117: 1 Time(s)
   qq/password from 72.20.71.117: 1 Time(s)
   r/password from 72.20.71.117: 1 Time(s)
   ready/password from 72.20.71.117: 1 Time(s)
   rich/password from 72.20.71.117: 1 Time(s)
   root/password from 216.75.15.209: 3 Time(s)
   root/password from 72.20.71.117: 25 Time(s)
   rr/password from 72.20.71.117: 1 Time(s)
   s/password from 72.20.71.117: 1 Time(s)
   samsung/password from 72.20.71.117: 1 Time(s)
   scp/password from 72.20.71.117: 1 Time(s)
   sean/password from 72.20.71.117: 1 Time(s)
   seanpaul/password from 72.20.71.117: 1 Time(s)
   sgi/password from 72.20.71.117: 1 Time(s)
   sharon/password from 72.20.71.117: 1 Time(s)
   shop/password from 72.20.71.117: 1 Time(s)
   silence/password from 72.20.71.117: 1 Time(s)
   smart/password from 72.20.71.117: 1 Time(s)
   sony/password from 72.20.71.117: 1 Time(s)
   ss/password from 72.20.71.117: 1 Time(s)
   start/password from 72.20.71.117: 1 Time(s)
   su/password from 72.20.71.117: 1 Time(s)
   sugar/password from 72.20.71.117: 1 Time(s)
   t/password from 72.20.71.117: 1 Time(s)
   test/password from 202.108.13.91: 1 Time(s)
   test/password from 216.75.15.209: 2 Time(s)
   test/password from 72.20.71.117: 8 Time(s)
   text/password from 72.20.71.117: 1 Time(s)
   thebeast/password from 72.20.71.117: 1 Time(s)
   tom/password from 72.20.71.117: 1 Time(s)
   transfer/password from 72.20.71.117: 1 Time(s)
   tt/password from 72.20.71.117: 1 Time(s)
   u/password from 72.20.71.117: 1 Time(s)
   user/password from 216.75.15.209: 1 Time(s)
   user/password from 72.20.71.117: 1 Time(s)
   uu/password from 72.20.71.117: 1 Time(s)
   v/password from 72.20.71.117: 1 Time(s)
   victor/password from 72.20.71.117: 1 Time(s)
   vv/password from 72.20.71.117: 1 Time(s)
   w/password from 72.20.71.117: 1 Time(s)
   win/password from 72.20.71.117: 1 Time(s)
   winamp/password from 72.20.71.117: 1 Time(s)
   windows/password from 72.20.71.117: 1 Time(s)
   ww/password from 72.20.71.117: 1 Time(s)
   x/password from 72.20.71.117: 1 Time(s)
   xx/password from 72.20.71.117: 1 Time(s)
   y/password from 72.20.71.117: 1 Time(s)
   yy/password from 72.20.71.117: 1 Time(s)
   z/password from 72.20.71.117: 1 Time(s)
   zz/password from 72.20.71.117: 1 Time(s)

Title: Re: SSH Access
Post by: CharlieBrady on February 03, 2006, 08:42:08 PM

Quote from: "calisun"

Right now in SME when you allow SSH access, all regular users have SSH access.

Yes and no. They have SSH access, but it's not actually usable unless they have had their shell changed. Try it.

Quote

Is there a way to  select which users get SSH access?

Only users who have had their shell changed (e.g. to /bin/bash) will be able to use SSH.

Quote

Looking at my SSH access log files, it is scarry.

That's the same for everybody.

Quote

I don't want SSH to be my security problem, but I need it enabled.

Don't enable password authentication. Educate yourself about RSA key authentication and then train your users (or set it up for them on a per user basis).

Title: SSH Access
Post by: osiris9510 on February 03, 2006, 08:43:06 PM

Select "Allow SSH only from Local Networks"

Then, under Local Networks, put each IP address in that you want to let access ssh, and use 255.255.255.255 as the subnet mask. It will treat each IP address as a network, but that network is limited to that particular machine because of that subnet mask.

Title: SSH Access
Post by: calisun on February 04, 2006, 02:22:22 AM

Thanks osiris9510, I was also thinking of that, but the problem is that my remote users don't have a static IP's

Charlie, thanks for the RSA key authentication tip. Do you have a favorite site  where to learn more about RSA or should I just google it?

Title: SSH Access
Post by: william_syd on February 04, 2006, 06:34:01 AM

Quote from: "calisun"

Charlie, thanks for the RSA key authentication tip. Do you have a favorite site  where to learn more about RSA or should I just google it?

Try http://www.wellsi.com/sme/ssh/ssh.html