ricci, 1 month ago to security

Hey! Let's talk about #SSH and #security!

If you've ever looked at SSH server logs you know what I'm about to say: Any SSH server connected to the public Internet is getting bombarded by constant attempts to log in. Not just a few of them. A lot of them. Sometimes even dozens per second. And this problem is not going away; it is, in fact, getting worse. And attackers' behavior is changing.

The graph attached to this post shows the number of attempted SSH logins per day to one of @cloudlab s clusters over a four-year period. It peaks at about 3.4 million login attempts per day.

This is part of a study we did on our production system, using logs of more than 640 million login attempts, covering more than 1,500 hosts on our side and observing more than 840 thousand incoming IP addresses.

A paper presenting our analysis and a new, highly effective means to block SSH brute force attacks ("Where The Wild Things Are: Brute-Force SSH Attacks In The Wild And How To Stop Them") will be presented next week at #NSDI24 by @sachindhke . The full paper is at https://www.flux.utah.edu/paper/singh-nsdi24

Let's dive in. 🧵

conorh, 6 days ago to random

During lunch a friend mentioned that you can just supply a HTTP URL to vim on the command line and it would use curl to download that resource and allow you to edit the content. I jokingly asked whether if you enter :w it would then issue a HTTP POST back to the origin which is of course ridiculous.

It issues a PUT

simontatham, 1 month ago to random

We've released #PuTTY version 0.81. This is a SECURITY UPDATE, fixing a #vulnerability in ECDSA signing for #SSH.

If you've used a 521-bit ECDSA key (ecdsa-sha2-nistp521) with any previous version of PuTTY, consider it compromised! Generate a new key pair, and remove the old public key from authorized_keys files.

Other key types are not affected, even other sizes of ECDSA. In particular, Ed25519 is fine.

This vulnerability has id CVE-2024-31497. Full information is at https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html

simontatham, 5 months ago to random

We've just released #PuTTY version 0.80! This is a SECURITY UPDATE, fixing the newly discovered 'Terrapin' #vulnerability, aka CVE-2023-48795, in some widely used #SSH protocol extensions.

The release is available in the usual place, at https://www.chiark.greenend.org.uk/~sgtatham/putty/

Full information on the vulnerability is at https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-terrapin.html

We urge users to upgrade, and also upgrade #OpenSSH servers. A fix is needed at both ends of the connection to eliminate the vulnerability.

#TerrapinAttack

nixCraft, 1 month ago to infosec

Every version of the PuTTY tools from 0.68 to 0.80 inclusive has a critical vulnerability in the code that generates signatures from ECDSA private keys. Tthe effect of the vulnerability is to compromise the private key https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html #infosec #security #ssh #opensource #linux #unix #windows

scy, 1 month ago to random

Eek. Apparently liblzma (part of the xz package) has a backdoor in versions 5.6.0 and 5.6.1, causing SSH to be compromised.

https://www.openwall.com/lists/oss-security/2024/03/29/4

This might even have been done on purpose by the upstream devs.

Developing story, please take with a grain of salt.

The 5.6 versions are somewhat recent, depending on how bleeding edge your distro is you might not be affected.

#liblzma #xz #lzma #backdoor #ITsecurity #OpenSSH #SSH

michaelabon, 3 months ago to random

My team at #1Password just added Watchtower support for insecure and unencrypted #SSH keys!

If you opt in, Watchtower will review the SSH keys stored on your local disk. For any security alerts, we'll offer recommendations on how to fix them.

https://blog.1password.com/watchtower-ssh-keys/

And if you aren't using 1Password already to store and sync your SSH keys, or to be your SSH agent, or to use those keys to sign your #git commits... you're really missing out!

changelog, 6 months ago to ShareYourMusic

sshx lets you share your terminal with anyone by link, on a multiplayer infinite canvas. It has real-time collaboration, with remote cursors and chat.

It's also fast and end-to-end encrypted, with a lightweight server written in Rust (so you know it's cool).

#ssh #terminal #collaboration #rust #rustlang #cli #encryption

🔗 https://sshx.io/

marcel, 1 month ago to random German

Wir sind dieses Wochenende nur durch unglaubliches Glück und extrem knapp an wohl einer der grössten Katastrophen rund um die globale IT-Sicherheit vorbeigeschrammt.

Phuh! Doch — was ist eigentlich passiert? Wie konnte das überhaupt geschehen? Und was können (und müssen) wir tun, um dies zukünftig zu vermeiden?

Und: Danke an die ganzen IT-Helden, die dies an diesem langen Wochenende für uns getan haben.
#xz #lzma #ssh
https://dnip.ch/2024/04/02/xz-open-source-ostern-welt-retten/

chebra, 1 month ago to security

So now that we all understand that thanklessly relying on free work of overworked maintainers is a problem, how about we put our money where our mouth is?

I think @AndresFreundTec needs a fat bonus check for saving our asses.

And Lasse Collin needs a lot of support, and probably a nice vacation.

I pledge $100, for starters.

Now how can we make sure to send the funds to the correct people?

Or is there already any fundraiser that I missed?

#liblzma #xz #ssh #security #oss #floss

adminmagazine, 9 months ago to sysadmin

It's SysAdmin Appreciation Day! We've partnered with TuxCare to bring you a new installment of 10 Terrific Tools for the Busy Admin. Download your copy free! https://bit.ly/Happy-SysAdminDay #SysAdminDay #sysadmin #security #tools #network #SSH #hardware #admin #TuxCare #SysAdminDay2023

mattkenworthy, 5 months ago to ai

Possibly a foolish question for the Mastodon mind, but with #Dropbox now willing to trawl my data for #AI purposes, is the concept of an invasive-free cloud drive impossible? Or should I stop worrying and learn to love #rsync over #ssh again?

notsle, 4 months ago to IT

#it #ssh #remotework #linux #rdp

5am, 1 year ago to linux

Before executing important commands and scripts over #SSH, use #screen in case of disconnect. If your connection drops or you close the terminal, you can SSH back in and enter screen -r to recover from where you left off. Being reunited with that hanging command prompt will be a relief! #tuesdaytip #gnu #linux #cli #admin

lafibreinfo, 4 months ago to ubuntu French

Changer le port d'écoute de #SSH, sur #Ubuntu 23.10 et Ubuntu 24.04 LTS
➡️ https://lafibre.info/serveur-linux/changer-le-port-de-ssh-ubuntu-24-04/
Il y a du changement, c'est #systemd qui contrôle le port d'écoute de SSH: modifier le port sur /etc/ssh/sshd_config ne sert plus à rien.
Il faut un "sudo systemctl edit ssh.socket"

Terrapin Attack - Attack Discovered Against SSH (terrapin-attack.com)

Terrapin is a prefix truncation attack targeting the SSH protocol. More precisely, Terrapin breaks the integrity of SSH's secure channel. By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel...

greggyb, 1 month ago to linux

Security vulnerability in #SSH #openssh on #linux

Affected distros definitely include Fedora 41 and Rawhide and Debian testing and Debian sid.

Report and distro info below.

https://www.openwall.com/lists/oss-security/2024/03/29/4

https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

https://lists.debian.org/debian-security-announce/2024/msg00057.html

CVE assigned by Redhat (not up to date yet): https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094

uncanny_static, 1 month ago to openSUSE

Unfortunately, openSUSE Tumbleweed already includes version 5.6.1 of liblzma. Hence, if you are using Tumbleweed, your system might already be affected.
https://www.openwall.com/lists/oss-security/2024/03/29/4
#openSUSE #Linux #liblzma #lzma #xz #ssh #infosec

vbatts, 1 month ago to random

PSA: now more than ever, sign your #git commits.

Either git commit -sS every commit; or git config commit.gpgSign 1 in a project; or git config --global commit.gpgSign 1

Use #GPG or even your existing #SSH key.

More info:

• https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key
• https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work

abcdw, 4 months ago to til

Today I learned: if the scp (utility for copying files over SSH) process was interrupted, you can resume the transfer of the file(s) with rsync!

Especially handy with low-bandwidth and unstable connection.

Experimenting with almost forgotten old good stuff can have its own perks!

#TIL #scp #ssh #rsync

chpietsch, 4 months ago to random

Reading about the recent SMTP and SSH vulnerabilities, I get the impression that open source projects, proprietary vendors and government agencies such as @certbund don't know how to talk to each other. They should at least have something like a red phone.

Please comment here if you have a constructive idea on how to improve the situation! #SECconsulting seems to assume that everyone uses #VINCE, a CMU service I had never heard of.

#SMTP:
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
https://www.postfix.org/smtp-smuggling.html

#SSH:
https://terrapin-attack.com/patches.html

#SMTPsmuggling #Terrapin #ITsec #37c3

screenshot from the Postfix website: SMTP Smuggling [An updated version of this text may be found at https://www.postfix.org/smtp-smuggling.html] Author: Wietse Venema Last update: December 23, 2023 Summary Days before a 10+ day holiday break and associated production change freeze, SEC Consult has published an email spoofing attack that involves a composition of email services with specific differences in the way they handle line endings other than . Unfortunately, criticial information provided by the researcher was not passed on to Postfix maintainers before publication of the attack, otherwise we would certainly have convinced SEC Consult to postpone publication until after people had a chance to update their Postfix systems. …
screenshot from the Terrapin website: … Aside from the SSH implementations marked with an asterisk, we included the following implementations, vendors, and CERTs in our responsible disclosure process. Due to the lack of proper security contacts and response, we were not able to disclose our findings to some of them. AbsoluteTelnet (Celestial Software) Amazon AWS CERT-Bund Cisco Ericsson Microsoft Mikrotik Partnered CERTs of CERT-Bund (via CERT-Bund) SSH Server for Windows (Georgia Softworks) Tectia SSH (SSH Communications Security, Inc.) Termius (Termius Corporation) The selection of SSH implementations contacted during responsible disclosure was based on several factors. We aimed to achieve a decent coverage of "strict kex" on public disclosure by focusing on the underlying SSH implementations. We gathered all SSH implementations listed in publicly available resources (Wikipedia SSH clients, Wikipedia SSH servers, Quendi SSH implementation comparison) as a baseline. …

pitrh, 5 months ago to security

OpenSSH 9.6 released! https://www.undeadly.org/cgi?action=article;sid=20231219122431 #openbsd #openssh #ssh #newrelease #security #crypto #cryptography #terrapin

brokenix, 28 days ago to random

Endlessh is an #SSH tarpit that very slowly sends an endless, random SSH banner. It keeps SSH clients locked up for hours or even days at a time. The purpose is to put your real SSH server on another port and then let the script kiddies get stuck in this tarpit instead of bothering a real server.
https://github.com/skeeto/endlessh

bitprophet, 5 months ago to random

Phew. <REDACTED> looks to be done now. We'll see how things go on <UPCOMING REDACTED DATE>.

Programming and networking: still hard. 😅

Also, I really hate reading C code, especially a specific codebase. You can probably guess which one, if you know what I do. 📖🔐🐚