Attackers Start Scans for SSH Keys After Report on Lack of SSH Security Controls

[LASER_oneXM]

Crooks are mass-scanning online sites for directories containing SSH private keys so they can break into websites with any accidentally exposed credentials.

SSH authentication can work via the classic username-password model or use key-based authentication. The latter works when admins generate an RSA encryption key pair, made of a public and private key.

The private key is placed on the server the owner wants to authenticate, while the user saves the private key in a local SSH configuration file.

Scans for private SSH keys started out of the blue
Wordfence — a US-based WordPress security firm — noticed last night massive scans for folder names that hint the attacker might have been looking for SSH private keys.

Attackers looked for web directories containing the terms, or combinations of terms, such as "root," "ssh," or "id_rsa." The scans came out of the blue, as there was little activity for this type of scan before this week.

"In the past 24 hours, we have seen a new attacker start mass-scanning websites for private SSH keys," said Wordfence CEO Mark Maunder in a report published last night.

Report on insecure SSH configs might have triggered the scans
The sudden spike can also be explained by a report published at the start of the week by Venafi, a provider of identity protection services.

The company conducted a study among 410 IT security professionals and found "a widespread lack of SSH security controls."

Key study findings:
Sixty-one percent of respondents do not limit or monitor the number of administrators who manage SSH; only 35 percent enforce policies that prohibit SSH users from configuring their authorized keys leaving organizations blind to abuse from malicious insiders.
Ninety percent of the respondents said they do not have a complete and accurate inventory of all SSH keys so there is no way to determine if keys have been stolen, misused or should not be trusted.
Just twenty-three percent of respondents rotate keys on a quarterly or more frequent basis. Forty percent said that they don’t rotate keys at all or only do so occasionally. Attackers that gain access to SSH keys will have ongoing privileged access until keys are rotated.
Fifty-one percent of respondents said they do not enforce “no port forwarding” for SSH. Port forwarding allows users to effectively bypass the firewalls between systems so a cybercriminal with SSH access can rapidly pivot across network segments.
Fifty-four percent of respondents do not limit the locations from which SSH keys can be used. For applications that don’t move, restricting SSH use to a specific IP address can stop cybercriminals from using a compromised SSH key remotely.
Public bug disclosures or reports like these often trigger a reaction from the cybercriminal underground, who are as avid readers of infosec-themed sites as are security professionals.

Website owners are advised to check if they haven't accidentally uploaded their SSH private key on their public servers, or committed the SSH private key to Git or SVN repositories. Setting a passphrase to access the private SSH key also prevents an attacker from using the key, even if he manages to get his hands on it.

 

[ForgottenSeer 58943]

SSH has long been a huge target. It's the most common brute force attack vector we find.

SSH should be fully disabled unless absolutely needed. If needed, moved to anything other than 22 and monthly rotating key generation with local controls. For explicit SSH access I like to have a client VPN into a local system setup for SSH, then SSH from the local lan restricted system into the device with locally restricted key pairings.

Anyone leaving SSH vulnerable in this day and age is frankly - an idiot. Unfortunately IT and corporations are filled with idiots.

 

[frogboy]

what is SSH?

I think this. SSH Protocol – Secure Remote Login and File Transfer | SSH.COM