Morning,
Just taking a moment to remind everyone that at this point it feels like a certainty that every application you use has a vulnerability, it’s just whether that vulnerability has been discovered yet.
Take this latest research into a new SSH vulnerability: New SSH Vulnerability - Schneier on Security
In summary, naturally occurring issues such as a flipped bit in memory can be enough to expose private host keys in some SSH implementations. I’m not saying to go run around in circles and panic, but what I am suggesting is that you review your defence in depth posture.
A great mindset to be in around any inbound connection to a device should be:
- Do I need this service to be listening? If not disable the service.
- Okay, I need it to be listening, what ports do I expect it to listen on? Only permit connections to it on pre-approved ports.
- Does it need to be listening to connections from anywhere? If not, utilise IP address whitelisting on a firewall
There are lots of other layers you can insert to enhance upon this basic steps such as placing an internal VPN between your network and an isolated, sensitive network segment, that you secure further with MFA, to permit access to sensitive services such as SSH, RDP, IPMI etc.
We’re in a constant battle between less convenient = more secure, and more convenient = less secure, but establishing a consistent security baseline improves an organisation’s cultural adoption to security and helps teams understand applications better by seeing how the various components communicate.