• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Another critical SSH vulnerability uncovered

Red Squirrel

Red Squirrel

No Lifer
This is pretty serious for anyone that may have a web server with public facing SSH. Might be time to start considering some sort of alternate to simply leaving it wide open. Maybe port knocking or something or a web based authentication form that opens up the port to your IP only.

www.computing.co.uk

'Critical' vulnerability in OpenSSH uncovered, affects almost all Linux systems

Researchers at the Qualys Threat Research Unit (TRU) have unearthed discovered a critical security flaw in OpenSSH's server (sshd) in glibc-based Linux systems.
www.computing.co.uk www.computing.co.uk
 
OpenSSH is a suite of software tools that enable secure remote login using the SSH encryption protocol. It is included in all glibc-based Linuxsystems, which means virtually every major distribution except for Alpine Linux, which uses libc. BSD systems are not affected. Qualys says it does not yet know the extent to which macOS or Windows operating systems may be impacted.

Using the Censys and Shodan search engines, TRU researchers identified over 14 million potentially vulnerable OpenSSH server instances exposed to the internet. Among Qulays customers, there are around 700,000 such instances, representing 31% of the customer base.

OpenSSH versions earlier than 4.4p1 (released 2006) are vulnerable unless they've been patched for CVE-2006-5051 and CVE-2008-4109. Versions 8.5p1 (released March 2021) up to, but not including, 9.8p1 (released 1st July, 2024) are also affected, owing to the accidental removal of a critical component. The vulnerability has been fixed in version 9.8p1.

Vendors are expected to release their own patches shortly. In the meantime there are mitigating measures that organisations can take.

"If sshd can't be updated or recompiled, set LoginGraceTime to 0 in the config file," the researchers recommend. "This exposes sshd to a denial of service by using up all MaxStartups connections, but it prevents the remote code execution risk."

Computing has contacted Qualys to ask whether any exploitations of regreSSHion have been observed in the wild.
Click to expand...

Weird, I’m using ssh 2.0 like most people, but i still gotta check the version
 
I would hope that people are not actually exposing SSH to the internet on their router though if yes that's a big yikes no cap. Even if no vulnerability, if there is not something like fail2ban and there is no monitoring on login attempts, someone will eventually get in. At least with a web server it's something that tends to be kept updated and is monitored properly etc. Routers tend to be more set and forget.

This vulnerability and the past ones have made me realize I need to rethink having SSH facing the internet on my web server though. I might write an application that listens on a different port and I need to authenticate through that application first then it would temporarily open up the SSH port only to my IP. Basically a 2nd authentication layer. I'd build it so it's easy enough to automate, so that the automatic rsync backups can still run.
 
VPN is a royal pita to setup, and I don't know if it would really be any more secure as it's even more complex so it has more attack surface. Ex: heartbleed. I think the only way to be safe is to not have anything management related that's wide open and set it up so you have to trigger it to open up and only for your IP.
 
Red Squirrel said:
VPN is a royal pita to setup, and I don't know if it would really be any more secure as it's even more complex so it has more attack surface. Ex: heartbleed. I think the only way to be safe is to not have anything management related that's wide open and set it up so you have to trigger it to open up and only for your IP.
Click to expand...

My router makes VPN pretty easy to setup and to use. My password manager easily generates passwords up to 64 characters.

As far as SSH goes, if you’re into Linux then setup 2FA for extra layer of protection.

ubuntu.com

Configure SSH to use two-factor authentication | Ubuntu

Ubuntu is an open source software operating system that runs from the desktop, to the cloud, to all your internet connected things.
ubuntu.com ubuntu.com
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top