Abstract image of a woman sitting on books and studying on a laptop

Securing SSH Access by Pavel Shukhman at OWASP Ottawa Meetup, August 2019

P
Pavel Shukhman

The document discusses securing SSH access, highlighting various attack vectors such as brute-force attacks, man-in-the-middle vulnerabilities, and insider threats. It provides strategies for prevention, including using strong ciphers, implementing two-factor authentication, and employing bastion hosts for access. Additionally, it emphasizes the importance of managing private keys securely and maintaining a trusted administrative workforce.

Technology
Related topics:
Information Security
1 of 28
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Securing SSH Access Pavel Shukhman, OWASP Meetup Ottawa, August 2019
Attack Vectors • Brute-force attacks • SSH traffic intercepts (MITM) • Attacks on administrator workstations • Insider attacks Photo by Olga Levshina
PART 1. BRUTE-FORCE ATTACKS
Brute Force Today • Millions of daily brute-force attacks on a large honeypot built by UIUC (2017-2018) • Bots increasingly try keys • Chalubo IoT Botnet (September 2018) Photo by Markus Spiske on Unsplash
Protect from Brute Force - I • Disable password authentication • Disable root user access • White-list user logins that may access SSH • Use non-standard port, i.e. 5xxxx instead of 22
Protect from Brute Force - II • Limit the source IP range • Use 2FA on SSH, i.e. with Google- Authenticator • Just-in-time access configured on Provider • Add monitoring on auth.log
Protect from Brute Force - Tools • SSHGuard (default on GCP images) • Fail2ban (protects SSH and other services) • DenyHosts
PART 2. MAN-IN-THE-MIDDLE
MITM Vulnerabilities • SSH v1 was proven vulnerable in late 90-s • Theoretical vulnerability with CBC ciphers in November 2008 • Timing attacks • Snowden leaked information about NSA breaking SSH (Dec 2014)Photo by Samuel Zeller on Unsplash
MITM Mitigation • Update Ciphers block in sshd_config to only include strong ciphers (AES, ChaCha20) • Require only strong ciphers on clients • How to manage host keys?
Bastion-style Infrastructure • Idea: only allow external SSH on Bastion nodes • SSH to production nodes only done through Bastions • Mitigation of MITM honeypot because it is hard to replicate • Mitigates other attacks on infrastructure
Bastion Architecture VPC Bastions SSH SSH Application Nodes (only private IPs)
Signed SSH Certificates • HashiCorp Vault provides an open source solution • CA for signing public keys • Additional layer of security with host key signing • A PAM solution, but super-admin can circumvent
PART 3. ADMIN WORKSTATION
Suppose, laptop is broken into… What can an attacker get? • Private keys? • Host IPs? • Host public keys? • Cloud Service Provider tokens?
Known Hosts, Remote IPs, Host Keys • Add HashKnownHosts yes to ssh_config on client • Did not find an alternative on Windows • Essentially, remote IPs are hard to protect cat ~/.ssh/known_hosts
Where do you store private keys? • Your Laptop (Better: secured location on laptop) • USB key (Better: encrypted) • SmartCard (i.e. YubiKey) • Worst: When people start moving private keys around
Using YubiKeys • Best option security-wise • But: non-user-friendly configuration • Have to use PGP instead of standard SSH keys • Need at least 2 keys per person • Must generate keys on the card and back up cert
Authentication Strategies • Keep organization-wide inventory of public keys with rotation and scanners • LDAP / Kerberos • Signed certificates (HashiCorp Vault style)
Cloud Provider Access • Require MFA for Cloud Provider access • Try not to store access tokens on laptop • General hygiene: encrypted disks, secured access to OS, lock laptop when away, etc
PART 4. INSIDER ATTACKS
HR Considerations • Limit the number of SSH admins to minimum • Select most trusted people for the job (i.e., >2 years on the job) • Regular, at least bi-weekly, one-on-ones • Keep staff happy and motivated • Establish proper offboarding process
IAM, PIM, PAM • Mainly commercial tools in the space • May proxy SSH connections • May record SSH sessions • But questions remain
Remaining Questions on PIM, PAM • “You have to trust someone” (CS101) • Chicken-and-egg problem • What about PIM/PAM vendors? • Video recording of sessions not enough to prevent attacks (like street cameras)
Other Options • Minimize number of times when SSH access is needed • Shamir’s Secret Sharing principle and separation of concerns – a path forward • Open Source Solution – HashiCorp Vault • Recommendations solve many issues, but unable to mitigate all insider attacks
References • https://www.usenix.org/system/files/nsdi19-cao.pdf • https://en.wikipedia.org/wiki/Secure_Shell#Vulnerabilities • https://www.vaultproject.io/docs/secrets/ssh/signed-ssh- certificates.html • https://worklifenotes.com/2019/07/05/yubikey-for-ssh-on- windows-complete-walkthrough/ • https://www.engineerbetter.com/blog/yubikey-ssh/ • https://www.youtube.com/watch?v=exjorJyddok
About me, Pavel Shukhman • Working with Infrastructure, DevOps, DevSecOps, DataOps for more than 10 years • In the early stage of building Reliza, my 3rd self-founded Start-Up, and 5th total • https://www.linkedin.com/in/pshukhman
Thank you!

More Related Content

PDF
Kochetova+osipv atm how_to_make_the_fraud__final
PacSecJP
 
PDF
Protecting Passwords
inaz2
 
PDF
proxy2: HTTPS pins and needles
inaz2
 
PDF
Wi-Fi Hotspot Attacks
Greg Foss
 
PDF
Defcon 22-david-wyde-client-side-http-cookie-security
Priyanka Aash
 
PPTX
Lets talk about bug hunting
Kirill Ermakov
 
PPTX
Заполучили права администратора домена? Игра еще не окончена
Positive Hack Days
 
PDF
Maemo 6 Platform Security
Peter Schneider
 
Kochetova+osipv atm how_to_make_the_fraud__final
PacSecJP
 
Protecting Passwords
inaz2
 
proxy2: HTTPS pins and needles
inaz2
 
Wi-Fi Hotspot Attacks
Greg Foss
 
Defcon 22-david-wyde-client-side-http-cookie-security
Priyanka Aash
 
Lets talk about bug hunting
Kirill Ermakov
 
Заполучили права администратора домена? Игра еще не окончена
Positive Hack Days
 
Maemo 6 Platform Security
Peter Schneider
 

What's hot (20)

PDF
Malware cryptomining uploadv3
Setia Juli Irzal Ismail
 
PPTX
Security Onion Conference - 2015
DefensiveDepth
 
PPTX
Infrastructure management using a VPN Concentrator
Ronald Bartels
 
PPTX
Sticky Keys to the Kingdom
Dennis Maldonado
 
PPTX
kali linux
Avinash Hanwate
 
PPT
Attacking Embedded Devices (No Axe Required)
Security Weekly
 
PDF
CMS Hacking Tricks - DerbyCon 4 - 2014
Greg Foss
 
PDF
Infrastructure management presented to GPNOG (Updated)
Ronald Bartels
 
PPTX
Kali Linux
Shubham Agrawal
 
PDF
Pa or die
Setia Juli Irzal Ismail
 
DOCX
kali linix
Mirza Baig
 
PDF
CSF18 - BitLocker Deep Dive - Sami Laiho
NCCOMMS
 
PDF
Infosecurity.be 2019: What are relevant open source security tools you should...
B.A.
 
PDF
BlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat Security Conference
 
PPTX
Kali Linux
Sumit Singh
 
PDF
Virtual Machine Introspection in a Hyberid Honeypot Architecture
Tamas K Lengyel
 
PPTX
Kali linux
afraalfalasii
 
PDF
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
Aditya K Sood
 
PPT
Network ssecurity toolkit
أحلام انصارى
 
PPTX
kali linux.pptx
anumeha bhatnagar
 
Malware cryptomining uploadv3
Setia Juli Irzal Ismail
 
Security Onion Conference - 2015
DefensiveDepth
 
Infrastructure management using a VPN Concentrator
Ronald Bartels
 
Sticky Keys to the Kingdom
Dennis Maldonado
 
kali linux
Avinash Hanwate
 
Attacking Embedded Devices (No Axe Required)
Security Weekly
 
CMS Hacking Tricks - DerbyCon 4 - 2014
Greg Foss
 
Infrastructure management presented to GPNOG (Updated)
Ronald Bartels
 
Kali Linux
Shubham Agrawal
 
Pa or die
Setia Juli Irzal Ismail
 
kali linix
Mirza Baig
 
CSF18 - BitLocker Deep Dive - Sami Laiho
NCCOMMS
 
Infosecurity.be 2019: What are relevant open source security tools you should...
B.A.
 
BlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat Security Conference
 
Kali Linux
Sumit Singh
 
Virtual Machine Introspection in a Hyberid Honeypot Architecture
Tamas K Lengyel
 
Kali linux
afraalfalasii
 
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
Aditya K Sood
 
Network ssecurity toolkit
أحلام انصارى
 
kali linux.pptx
anumeha bhatnagar
 
Ad

Similar to Securing SSH Access by Pavel Shukhman at OWASP Ottawa Meetup, August 2019 (20)

PDF
Industry Best Practices For SSH - DevOps.com Webinar
Teleport
 
PDF
Industry Best Practices for SSH Access
DevOps.com
 
PPTX
SSH Keys: Security Asset or Liability?
Michael Thelander
 
PPTX
Advanced Privileged Identity Management: Moving Beyond the Gateway Approach t...
SSH Communications Security
 
PPTX
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
Chris Gates
 
PPTX
Cyber secure
Gaurav Sachdeva
 
PPT
Presentation nix
fangjiafu
 
PPT
Presentation nix
fangjiafu
 
PPTX
"Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde...
HackIT Ukraine
 
PPTX
AWS SSH Bastion
Groots Software Technologies.
 
PDF
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
Micro Focus
 
PPTX
Introduction to Just in Time Access - BrightTalk
Haydn Johnson
 
PDF
Securing Your Resources with Short-Lived Certificates!
All Things Open
 
PDF
Dssh @ Confidence, Prague 2010
Juraj Bednar
 
PDF
PLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PROIDEA
 
PPTX
Ssh
Raghu nath
 
PPTX
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Ory Segal
 
PPTX
Gaining the benefits of risk reduction for your ssh key management project
SSH Communications Security
 
PPTX
IoT Lockdown
Adam Englander
 
PPTX
Simple tips to improve Server Security
ResellerClub
 
Industry Best Practices For SSH - DevOps.com Webinar
Teleport
 
Industry Best Practices for SSH Access
DevOps.com
 
SSH Keys: Security Asset or Liability?
Michael Thelander
 
Advanced Privileged Identity Management: Moving Beyond the Gateway Approach t...
SSH Communications Security
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
Chris Gates
 
Cyber secure
Gaurav Sachdeva
 
Presentation nix
fangjiafu
 
Presentation nix
fangjiafu
 
"Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde...
HackIT Ukraine
 
AWS SSH Bastion
Groots Software Technologies.
 
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
Micro Focus
 
Introduction to Just in Time Access - BrightTalk
Haydn Johnson
 
Securing Your Resources with Short-Lived Certificates!
All Things Open
 
Dssh @ Confidence, Prague 2010
Juraj Bednar
 
PLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PROIDEA
 
Ssh
Raghu nath
 
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Ory Segal
 
Gaining the benefits of risk reduction for your ssh key management project
SSH Communications Security
 
IoT Lockdown
Adam Englander
 
Simple tips to improve Server Security
ResellerClub
 
Ad

Recently uploaded (20)

PPT
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
PDF
Hybrid model detection and classification of lung cancer
IAESIJAI
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PPTX
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
PDF
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
PDF
Unlock new opportunities with location data.pdf
Precisely
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PDF
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
PDF
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
PDF
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PPT
What is a Computer? Input Devices /output devices
GulJan8
 
PDF
August Patch Tuesday
Ivanti
 
PPTX
Modernising the Digital Integration Hub
Daniel Toomey
 
PDF
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
Hybrid model detection and classification of lung cancer
IAESIJAI
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
Unlock new opportunities with location data.pdf
Precisely
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
What is a Computer? Input Devices /output devices
GulJan8
 
August Patch Tuesday
Ivanti
 
Modernising the Digital Integration Hub
Daniel Toomey
 
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 

Securing SSH Access by Pavel Shukhman at OWASP Ottawa Meetup, August 2019

  • 1. Securing SSH Access Pavel Shukhman, OWASP Meetup Ottawa, August 2019
  • 2. Attack Vectors • Brute-force attacks • SSH traffic intercepts (MITM) • Attacks on administrator workstations • Insider attacks Photo by Olga Levshina
  • 4. Brute Force Today • Millions of daily brute-force attacks on a large honeypot built by UIUC (2017-2018) • Bots increasingly try keys • Chalubo IoT Botnet (September 2018) Photo by Markus Spiske on Unsplash
  • 5. Protect from Brute Force - I • Disable password authentication • Disable root user access • White-list user logins that may access SSH • Use non-standard port, i.e. 5xxxx instead of 22
  • 6. Protect from Brute Force - II • Limit the source IP range • Use 2FA on SSH, i.e. with Google- Authenticator • Just-in-time access configured on Provider • Add monitoring on auth.log
  • 7. Protect from Brute Force - Tools • SSHGuard (default on GCP images) • Fail2ban (protects SSH and other services) • DenyHosts
  • 9. MITM Vulnerabilities • SSH v1 was proven vulnerable in late 90-s • Theoretical vulnerability with CBC ciphers in November 2008 • Timing attacks • Snowden leaked information about NSA breaking SSH (Dec 2014)Photo by Samuel Zeller on Unsplash
  • 10. MITM Mitigation • Update Ciphers block in sshd_config to only include strong ciphers (AES, ChaCha20) • Require only strong ciphers on clients • How to manage host keys?
  • 11. Bastion-style Infrastructure • Idea: only allow external SSH on Bastion nodes • SSH to production nodes only done through Bastions • Mitigation of MITM honeypot because it is hard to replicate • Mitigates other attacks on infrastructure
  • 13. Signed SSH Certificates • HashiCorp Vault provides an open source solution • CA for signing public keys • Additional layer of security with host key signing • A PAM solution, but super-admin can circumvent
  • 14. PART 3. ADMIN WORKSTATION
  • 15. Suppose, laptop is broken into… What can an attacker get? • Private keys? • Host IPs? • Host public keys? • Cloud Service Provider tokens?
  • 16. Known Hosts, Remote IPs, Host Keys • Add HashKnownHosts yes to ssh_config on client • Did not find an alternative on Windows • Essentially, remote IPs are hard to protect cat ~/.ssh/known_hosts
  • 17. Where do you store private keys? • Your Laptop (Better: secured location on laptop) • USB key (Better: encrypted) • SmartCard (i.e. YubiKey) • Worst: When people start moving private keys around
  • 18. Using YubiKeys • Best option security-wise • But: non-user-friendly configuration • Have to use PGP instead of standard SSH keys • Need at least 2 keys per person • Must generate keys on the card and back up cert
  • 19. Authentication Strategies • Keep organization-wide inventory of public keys with rotation and scanners • LDAP / Kerberos • Signed certificates (HashiCorp Vault style)
  • 20. Cloud Provider Access • Require MFA for Cloud Provider access • Try not to store access tokens on laptop • General hygiene: encrypted disks, secured access to OS, lock laptop when away, etc
  • 21. PART 4. INSIDER ATTACKS
  • 22. HR Considerations • Limit the number of SSH admins to minimum • Select most trusted people for the job (i.e., >2 years on the job) • Regular, at least bi-weekly, one-on-ones • Keep staff happy and motivated • Establish proper offboarding process
  • 23. IAM, PIM, PAM • Mainly commercial tools in the space • May proxy SSH connections • May record SSH sessions • But questions remain
  • 24. Remaining Questions on PIM, PAM • “You have to trust someone” (CS101) • Chicken-and-egg problem • What about PIM/PAM vendors? • Video recording of sessions not enough to prevent attacks (like street cameras)
  • 25. Other Options • Minimize number of times when SSH access is needed • Shamir’s Secret Sharing principle and separation of concerns – a path forward • Open Source Solution – HashiCorp Vault • Recommendations solve many issues, but unable to mitigate all insider attacks
  • 26. References • https://www.usenix.org/system/files/nsdi19-cao.pdf • https://en.wikipedia.org/wiki/Secure_Shell#Vulnerabilities • https://www.vaultproject.io/docs/secrets/ssh/signed-ssh- certificates.html • https://worklifenotes.com/2019/07/05/yubikey-for-ssh-on- windows-complete-walkthrough/ • https://www.engineerbetter.com/blog/yubikey-ssh/ • https://www.youtube.com/watch?v=exjorJyddok
  • 27. About me, Pavel Shukhman • Working with Infrastructure, DevOps, DevSecOps, DataOps for more than 10 years • In the early stage of building Reliza, my 3rd self-founded Start-Up, and 5th total • https://www.linkedin.com/in/pshukhman