Last year, AT&T encountered a massive Secure Socket Shell (SSH) login failure, where the Managed Threat Detection and Response (MTDR) analysts discovered above 8000 failed login attempts within a minute with different usernames, indicating a brute force attack. An SSH brute force attack is when attackers use the trial and error method to guess login credentials to gain access to the corporate network.
SSH is a cryptographic network protocol, which uses public-key cryptography to secure access to remote servers and devices over an insecure network. It is a mechanism for mutual authentication between a client and a server and establishes a safe and encrypted channel of communication.
With the proliferation of cloud and infrastructure automation, SSH keys have become crucial to enable secured remote command-line login, execution, and administrative processes. During authentication procedures, SSH keys establish root access to critical systems, thus converting these cryptographic assets into privileged credentials.
These decentralized unregulated keys are generated on an ad-hoc basis and used by administrators having privileged access to control firewalls, routers, and mission-critical systems. Organizations often tend to overlook the security concerns of the SSH keys, even though they are enabled on major operating systems like Linux, UNIX, Mac OS, and Windows OS.
Inefficient management of SSH keys exposes your organizational networks to critical security vulnerabilities, compromising data confidentiality and integrity.
Prevent outages across hybrid-cloud/multi-cloud environments with CERT+
Common mistakes that make SSH vulnerable
- Weak SSH configuration: SSH client and server implementations like OpenSSH include specific configuration parameters which administrators often miss. They opt for default settings such as port forwarding for convenience, but this increases the security risks a great deal. You must consider the security implications before making changes to the SSH configurations.
- Improper SSH key management: The explosion in the number of SSH keys cause trouble tracking and monitoring them. Homegrown custom solutions like spreadsheets are not scalable solutions for managing the SSH keys. Anyone can create SSH keys within the system using simple commands, and the keys are not governed and regulated by a centralized entity. The lack of defined management of SSH credentials can lead to potential backdoors, which hackers exploit for malicious purposes.
- Lack of awareness: Even though organizations rely on SSH keys to authenticate and enable trust between administrators, applications, and machines, they struggle to provide the enforcement policies necessary to prevent unauthorized access.
- Key sprawl: As SSH keys can be generated as needed, managing the deluge of these keys can be a security headache, leading to the possibility of a key sprawl, i.e. storing discarded and unmanaged keys in multiple locations. Unmanaged keys can be compromised and forged by attackers to launch eavesdropping attacks, like a man-in-the-middle (MITM) attack.
Security vulnerabilities of Secure Shell (SSH)
- Brute force and malware attacks: Cybercriminals target SSH keys to enjoy lateral movement within the corporate network, launch brute force, and targeted malware attacks by creating backdoors using SSH keys.
- SSH session hijacking and unauthorized access: Attackers can hijack a user’s SSH session by exploiting the trusted communication established between multiple systems via public key authentication in an SSH session. It can occur either by hijacking the SSH agent or by gaining unauthorized access to the agent’s socket. In the case of default SSH configurations, an attacker can compromise the privileged user access and create a backdoor key by tampering with the default settings.
- Private key compromise: During SSH configuration for the public key, private key enables access to critical accounts. When a private key is compromised, the attacker can access all the accounts where the private key is trusted. As SSH keys do not expire, they are often installed and forgotten. Consequently, a shorter key length continues to exist, thus giving the attackers a chance to derive its value easily.
Mitigate SSH security risks
- Discover and map keys: You need to discover SSH servers, certificates, and private keys that are authorized to grant SSH access. Periodic network scans and employing a discovery tool to locate and maintain a centralized inventory are crucial. Also important is mapping the key-user relationship. Use an agentless or agent-based discovery tool versus manual tracking to build a searchable inventory of all SSH keys.
- Create fresh key pairs and rotate keys: Use an automated workflow that will enable authorized users to create and deploy new keys. Rotate key pairs regularly at pre-defined intervals. Automated alerts and built-in integrations with active directory (AD) groups as well as self-service UI’s or APIs can help streamline the process. You can also look at implementing maximum key lifespans for smooth management.
- Control SSH keys and access: Implement SSH key management policies and practices to generate new keys and discard any orphaned keys. Practice granular access controls to ensure that only authorized users can create and access the SSH credentials. You can leverage directory services to assign the required levels of clearance based on the roles of the concerned security teams. This will help reduce the risk margin caused by key sprawl and mismanagement of keys.
- Disable root login: The root is the primary user account that is responsible for enabling complete access to Linux and UNIX-based systems. Hackers target root login to gain unlimited access to critical systems. Disable SSH root login to harden server security.
- Apply public key authentication: While password-based authentication mechanism is vulnerable to brute force attacks, key-based authentication is safe and secure. By using public-key authentication, you can log in to the SSH account using cryptographic key pairs (public and private keys) instead of passwords.
- Monitor continuously – Robust monitoring of your key inventory will help you stay proactive and ward off threats. Maintain audit trails to ensure that all keys in use adhere to policies. This will provide you with transparency into access, key modifications, and important events like key generation and rotation.