Hi there:

In /var/log/messages i've got many lines like these, with a different user name for each pair.

May 17 12:18:04 host21 sshd[mmmmm]: Invalid user magnos from nnn.nnn.nn.n
May 17 12:18:04 host21 sshd[mmmmm]: Failed password for invalid user magnos from nnn.nnn.nn.n port ppppp ssh2

And there are hundreds of these names. These users are not in /etc/passwd. What would the meaning of this be? Bear in mind my machine is connected to the outside world by two and only two channels: the console and my ISP, and that i'm the only only one who sits at the console. Thanks for reading.

------------------------------------------ Enrique.

People are trying to log in to your ssh server, guessing passwords. This procedure is most likely entirely automated on the attacker's part but it's often quite wise to move the ssh listening port from port 22 to something non-standard if your machine is connected to the outside world.

Also, ssh blacklisting/whitelisting allows you to automatically deny all connections from, say, countries other than your own.

A slightly more targeted variant would be to use tools like
blockhosts, fail2ban, et al. to deny repeated login-attempts
to IPs with e.g. 3 failed attempts for an hour, which makes
brute force attacks far less likely to succeed w/o having to
permanently block half the world...

Have a look at the sticky about ssh attacks in security


Cheers,
Tink

Thanks a lot. I run 'top|grep ssh' and don't see ssh. Possible cause (besides my own ignorance)?

Tinkster, I'll make a full revision of my distro and see if
those programs are there. Thanks very much.

P.S.: by the way: is the practice of addressing members individually wise?

That's odd, considering that messages quite clearly states
that sshd is running?

Most welcome.

I'm not sure I follow? If you mean contacting individuals
via e-Mail, off the board, I can only speak for myself and
say that I ignore these requests (not entirely, I will only
respond that I don't have the time to take care of those
requests on top of my time spent with work, day to day chores
and the copious amounts of time I spend on LQ anyway) - others
may feel the same (or completely differently).

If you mean something else, please elaborate, or rephrase
your question to clarify.


Cheers,
Tink

Tinkster: Roger. About the addressing thing, I mean using the member's LQ name (not his real name) in the thread's post.
Take the message you are reading now as an example. If I were to put 'i92guboj' into it and i92guboj were a LQ member, would this be well seen. Namely, does it violate any regulation or increases the probabilities of the post being rejected by a moderator? I at first said to myself: If the thread is too long, then the style of addressing individualy, in the sense above indicated, would end making
me mad, and introducing confusion into the other members.
But then, I reconsidered, and saw linuxquestions as a chatting site very much like a room where people chats. In the last case, it makes sense to address individually somebody, just as people in a room do. That's all and I hope not having been too long. Thanks.

I think "top" isn't the perfect tool for the task. It can show the [em]top[/em] CPU or memory consumers. When I try your command, top runs indefinitely, until I kill it, and gives no output.

Use, instead, or, if you like it fancier, (The "f"s are for "forest" and "full", respectively).

You're welcome to address me as "Quigi" any time. No, it's not my "given" name, but my pals have been calling me that since gave me the name in elementary school. Unauthoritatively, I think it's appropriate to call people on LQ by whatever moniker they chose for themselves.

/Quigi

How many of the users are authorized to use ssh? If only a few, then you can use "AllowUsers" in /etc/ssh/sshd_config to restrict access to only these users. This is much easier than adding system users to UsersDeny. System users are known and often targets of brute force attacks.

Changing the port that ssh uses will remove many of the script kiddie attacks. Only allowing protocol 2 and using Public Key authentication, and not allowing root logins as well as AllowUsers may discourage more skilled attackers as well.

Sorry for the delay. I inserted the line 'allowusers root' in file sshd_config. Rest of file is entirely commented. But
sshd doesn't seem to be reading sshd_config because i rebooted as a regular user and the system didn't object.
Any hint will be gladly received.

Hi,

Sorry, there's two problems:
#1: permitting root logins via ssh is one of the most basic mistakes one can make,
and considered a MAJOR security flaw. Permit one or two known good user accounts
with very secure passwords.
#2: The key-/value-pair is case sensitive. allowusers != AllowUsers



Cheers,
Tink

Hi and thanks.

Two things:
#1: I only did it as a test, to see what happened. Later I proved with a regular user's username and again it did not work.
#2: only the value member of the pair is case sensitive, at least in my manual. Anyways, in /etc/ssh/sshd_config I entered, verbatim,

AllowUsers xxxxxx.

Errata: I said every entry in this file is commented out.
Correction: There's an entry with keyword 'Subsystem'
which is uncommented (as it was in the distro).

I admit a lot of man pages yet to read. As you have been so kind as to answer my post, I must say I only would like to know this:
Having three users in the system, root, regular_user_1, regular_user_2, and entry

AllowUsers regular_user_1

in /etc/ssh/sshd_config, why am I able to log in as regular_user_2? I'll also give a look to LQ-Security forum, a sticky thread with references to that matter. Regards.

Hmmm ... after that change to the sshd_config file, did you
restart the daemon?

Are you going to be using SSH?
If your not why not disable it. Tell us your distro and someone will be able to help

After modifying sshd_config I rebooted. So, sshd restarted.

I intend to stick to the policy of my distribution, Slackware 12.0 which, out of the box, makes sshd run. But I could temporarily disable it, if someone helps me. Thanks.