AP - Fotolia
Cloud servers often have Secure Shell (SSH) enabled for remote administration and maintenance of servers. SSH runs on port 22 by default and is widely used in cloud environments because of the encrypted communication channel it provides the client and server. SSH was developed to replace insecure protocols like Telnet and RSH/REXEC that communicate over an unencrypted communication channel by sending messages in plaintext.
This tip looks at the different types of attacks on SSH and some ways to boost SSH security in the cloud.
Attacks on SSH
Systems in the public cloud are usually accessible from anywhere on the Internet, which makes them susceptible to various attacks. The most common attacks include:
- Timing-based attack: There are various cryptographic functions applied to the user input when establishing a connection with the SSH server. Because most of the cryptographic options take considerabletime to execute, an attacker can use timing information to gain additional details about the system, such as the users present on the system.
- Denial-of-service(DoS) attack: In a DoS attack, the attacker can spawn multiple concurrent sessions with the SSH server, which will take considerable server resources to process. SSH could be rendered inaccessible with a relatively low number of threads because of the time-consuming compression and encryption algorithms that are applied to the exchanged data.
- Password brute-force attack: An attacker can issue a brute-force or dictionary attack on the Internet-facing SSH server accessible from anywhere on the Web. If successful, an attacker can gain complete access over the server if it manages to accurately guess the root user password.
There are numerous considerations to take into account when hardening the security of SSH servers, including:
- Configuration options: SSH is a secure protocol by default, but there are still configuration options that can harden SSH security. Most common security options related to SSH daemon are presented in a contributing article from Infosec Resources.
- TCP Wrapper: This program can be used to specify a list of IP addresses allowed or denied access to the SSH server by utilizing the /etc/hosts.allow and /etc/hosts.deny files. A good security practice is to add your own IP address into /etc/hosts.allow to prevent locking yourself out of the server.
- DenyHosts: This script allows organizations to monitor invalid login attempts and block the originating IP from where the authentication requests are coming from. The protection can be enabled by installing the DenyHosts package with a package manager like apt-get. Afterwards, configure the /etc/denyhosts.conf file and change the SMTP settings to allow sending emails to administrator upon blocking certain IPs.
- Port knocking: Systems in the public cloud are usually accessible from anywhere on the Internet, making them susceptible to various SSH attacks. This can be prevented by disabling the SSH service, but then it can't be used to manage the servers. Port knocking is a technique used together with a firewall to open specific ports upon receiving a particular knock sequence. It uses headers to communicate secret information to the server to open a specific port. The secret knock can be embedded as an ordered sequence of ports and requires SYN packets to be received for it to be valid. When the correct sequence of SYN packets to arbitrary ports is received, the client will be allowed to access the port. This method is quite limited because it implements security through obscurity and an attacker can still brute-force attack the order of ports for which SYN packets needs to be sent. Other attacks, such as packet-relaying attacks, are also possible and can defeat port sequence port knocking security measures. This is because packets that needed to be sent to the remote server are always the same, making them easy to sniff and replay.
- Single packet authorization: This technique doesn't incorporate secret information embedded in packet headers, but rather in a packet payload. Prior to issuing a port knocking sequence, a secure encrypted communication channel is established with the server that prevents replay attacks. This works because the packets are never the same, since the proper measure of randomness is achieved during the connection establishment. Therefore, even if an attacker is able to sniff every packet exchanged during port knocking, he or she will not be able to replay them. This option is also safer to use because the usual packets sent during port knocking don't look like port scanning attacks, so a firewall won't block them.
- Two-factor authentication (2FA): 2FA can be enabled with the SSH server by using either PAM Module or Duo Unix. Both authentication options require a password or certificate to be used with a security token that is accessible on the telephone.
- SSH Key Manager: Enterprises might consider using the Universal SSH Key Manager, which allows advanced functionality like gaining information about which user is able to get access to a resource, revoking the old certificate, issuing new certificate, etc.
While there are many common ways an attacker can breach SSH, there are also a few options for hardening the security of SSH servers and properly securing the entry points into the system. Applying all security recommendations will result in an attacker not being aware the SSH server is even present on the system, let alone being able to brute-force attack the password of a user to gain access to the system.
About the author:
Dejan Lukan has an extensive knowledge of Linux/BSD system maintenance, as well as security-related concepts including system administration, network administration, security auditing, penetration testing, reverse engineering, malware analysis, fuzzing, debugging and antivirus evasion. He is also fluent in more than a dozen programming languages, and constantly writes security-related articles for his own website.
Learn how to use a free SSH security risk assessment tool to mitigate enterprise SSH risks