Accelerated by the COVID-19 pandemic, remote work has seen a considerable boost in recent years, making many people understand what RPD and SSH are in practice, as they need to apply these protocols in industries.
However, with increased remote access, exposure to cyber threats has also grown, making it even more important to establish a secure connection between users and workstations or endpoints.
In this sense, one of the main risks is associated with user authentication, which can allow malicious attackers to exploit vulnerable resources and sensitive data within an organization.
Another concern is related to endpoint security, as unprotected RDP endpoints are the primary target of cybercriminals.
What Does SSH Mean?
SSH is the acronym for Secure Shell and consists of a protocol developed to access Linux servers, which can also be used in other operating systems.
This protocol presents the command line interface normally controlled through the bash and, unlike RPD, it does not have a GUI.
How Does SSH Work?
SSH relies on the client/server authentication model and replaces traditional credentials with public and private keys, which work respectively as a lock and the key used to access it.
Generally, private SSH keys are stored on systems, while public keys remain on servers.
SSH provides more security to the authentication process than a username associated with a default password, since it uses 2048-bit encryption on its keys.
What Is SSH Used For?
SSH is used to remotely access a hosting account and execute commands. With this protocol, one can:
Start and stop services;
Run live monitoring log files;
Install software on the account; and
Manage MySQL databases, among other activities.
Moreover, SSH allows one to make a standard web-based graphical interface and, as the user learns to use its commands, they can manage their account more quickly. Benefits of SSH SSH makes it possible to encrypt data, preventing your user information and passwords from being accessed by malicious attackers. Here’s what SSH can protect your company from: IP Source Routing by Malicious Agents
Generally, source routing is used for positive purposes, but when it fails, it can be a cybercriminal resource to make one machine think it is communicating with another. Attacks with DNS Counterfeiting
In this type of attack, malicious users enter information into the cache database and a Domain Name System (DNS) name server. In this way, traffic is diverted to another computer, since the name server returns to an incorrect IP address. With that, those who have access to this computer can get confidential information, which they can use to take advantage of. Manipulation of Data in Routers
In this type of action, the hacker obtains or changes data on routers or other intermediaries on the way to its destination. It is common for routers, whose data enters a kind of gateway during the network route. Espionage
An organization without a connection allows hackers to view data, collecting sensitive information for a variety of purposes. IP Spoofing
A hacker can create packages with IP addresses from fake sources. Thus, they can use a computer that remains with the hidden identity and location, while the receiver believes it is interacting with another IP.
Best Security Practices for SSH
Some practices may improve the security of the SSH service. These are:
Malicious attackers use port scanning software to detect whether the computer is using the SSH service. However, most port scanners do not analyze high ports. Therefore, we suggest that you change port 22, served by SSH, to a port above 1024.
The SSH protocol can be used in two versions, but the first one generates security vulnerabilities, opening spaces for insertion attacks and man-in-the-middle attacks. For this reason, it is recommended to use only version 2.
To avoid cyber threats, do not allow the root user to log in via the SSH protocol. This is because if this user’s account is compromised, the attacker can cause more damage to your system than if they could gain access as an ordinary user.
Create a custom banner for users who connect through the SSH protocol to view specific messages. These messages can be used to inform the user they are accessing a private SSH service.
Replace logins and password names with the DSA public key for authentication, as using the public key allows you to protect your IT system from dictionary attacks.
Use TCP Wrappers to ensure that only specific hosts connect to your SSH service or use your iptables configuration for this purpose.
Cyberattack Cases with SSH Keys
In recent times, many hackers have used SSH machine identity resources to conduct cyberattacks.
This means that gangs with access to the dark web can make use of the same techniques that brought down Ukraine’s power grid against government sectors.
Thus, they can sell SSH backdoors to Advanced Persistent Threat (APT) groups associated with certain countries for high figures.
SSH keys can be used by malicious attackers to gain unauthorized access to critical systems and perform various actions, such as:
Bypassing security controls;
Inserting fraudulent information;
Compromising the encryption software; or
Installing persistent malware.
Most of the time, the malware inserts the cybercriminal’s SSH key among the authorized keys on the victim’s computer, which ensures their permanence on that machine.
In addition, in other cases, the malware weakened SSH authentication, which enabled access to credentials and host information to move through the network and infect other computers.
Check out some malware campaigns that use the identity of SSH machines:
TrickBot: Initially used to steal bank account login data, over the years, TrickBot has expanded and become useful for the performance of cybercriminals in various types of corporate environments.
It is a module-based malware, which incorporates network profile features and mass data collections, in addition to allowing lateral movement.
Its capabilities allow one to extract information from compromised computers and steal credentials in browsers, Outlook clients, and Windows.
CryptoSink: This illicit XMR cryptocurrency mining campaign discovered in 2019 allowed attackers to compromise target systems by exploiting a vulnerability of Elasticsearch systems on Windows and Linux platforms.
For this, it was necessary to add the public key to the authorized key file on the victim’s computer.
Worm Linux: This malware attacks Exim email servers on Unix-link systems and delivers them to Monero cryptocurrency miners.
To do this, it enables the SSH server, if it is disabled, and creates a backdoor by adding its SSH public key.
Skidmap: In this case, the attacker’s public key is added to the authorized key file to give backdoor access to a target computer.
To gain root or administrative access to the system and eliminate crypto mining malware, exploits, internet exposure, or incorrect settings are used. In addition to the cases reported so far, between 2015 and 2017, a teenager gained access to Apple’s internal systems and copied data and authentication keys. According to the court, the boy had downloaded 90 GB of files and affected customer accounts, which was denied by Apple. Also, according to the court, he sent a computer script to the system, creating a secure shell tunnel, which allows access to systems, bypasses firewalls, and removes data faster. In this way, it was possible to access internal security policies and save authentication keys. According to information from SSH.COM and the inventor of the Secure Shell protocol, Tatu Ylönen, SSH tunnels are widely used in corporate environments, but in combination with the use of stolen SSH keys, they become very difficult-to-track attack vectors. What Is RDP, and How Does It Work? Remote Desktop Protocol (RDP) is an old, widespread protocol and therefore the target of constant attacks. Used to access Windows virtual machines and physical servers, it does not work on the Linux system and has an interface that makes servers more accessible to users with or without technical training. Generally, RDP ports need to be connected to the Internet, which generates vulnerabilities because of hacker action. For this reason, administrators must protect their RDP instances. What Is RDP Used For? RDP enables the user to connect to a computer by remote access using Microsoft Terminal Services. In general, this tool is used by users to access machines outside the environment, where they are installed to perform activities such as configuration and maintenance. In addition, RDP is very useful for companies operating via remote work, a service model adopted by many institutions after the beginning of the Covid-19 pandemic. Benefits of RDP Like SSH, RDP provides several benefits for those who adopt this protocol. Check out some of them: Connection Security
With RDP, you can securely access your files and documents due to the encryption of connections to your remote desktop, which reduces the risk of losing data through malicious attacks and physical theft. Mobility
Another important benefit provided by RDP is the freedom to work from anywhere and at any time. For this, just rely on a computer and internet access. Excellent Value for Money
Using this feature, it is not necessary to purchase licenses for multiple computers, as all can be accessed remotely through a single software. What Is the Difference Between SSH and RDP? These two resources are used for the same purpose: accessing computers and other servers remotely. Moreover, RPD and SSH provide security when accessing cloud-based servers.
Despite their similarities, RPD and SSH differ in some aspects. First, SSH is more secure than RPD, which requires the use of tools to generate more protection, such as a virtual private network (VPN) and multiple-factor authentication (MFA). This is because it is easier to compromise credentials than key pairs, which does not mean there is no need for appropriate measures to protect private keys. Another difference is that SSH is technically more complex than RDP. Therefore, many organizations choose the second, especially those that have new IT professionals or smaller teams. Best Security Practices for RDP The RDP protocol provides security in ideal environments, but to avoid problems such as unauthorized sessions and improper access, it is necessary to go beyond its default settings and ensure a higher level of maturity for IT security.
This is because RDP provides only a baseline for encryption, which does not guarantee complete security for internal and external operations.
Thus, the first security rule to be followed when it comes to RDP is not to leave the service exposed on the Internet for access, being used only on a local network, regardless of the system protection and endpoints.
Do you want to know how to protect RDP for internal use properly? Start with what is known about its default settings:
Allowing access to local or domain administrators by enabling RDP on Windows Hosts is not a best practice as it does not comply with the principle of least privilege. In this sense, the ideal is that only default user accounts receive RDP access only for the time necessary to perform a certain task, and this session must be monitored from start to finish through a privilege management tool such as PAM.
If the above recommendation is not followed, it is of utmost importance that local domain or machine administrator accounts be named with something difficult to decipher. Otherwise, a malicious attacker might have access to this account. What’s more: we also recommend that RDP as an administrator is not routinely used for remote work demands, but only when its use is indispensable.
RDP also requires network-level authentication so that credentials are not sent to a domain controller or remote host without proper encryption. Moreover, it is necessary to use the strongest encryption available so that the key strength is not negotiated through a domain controller.
The RDP protocol allows the content to be cut, copied, and pasted from remote systems to connection devices and vice versa by redirecting the clipboard, which can cause vulnerabilities related to system data extraction.
Another feature offered by RDP servers refers to the redirection of printers to remote access sessions, which may allow the printing of sensitive data and introduce malicious drivers into the IT environment.
Windows servers allow the user to start multiple RDP sessions, but if they are disconnected, they cannot reconnect to the previous one when starting a new session, generating data and productivity losses. To mitigate this issue, one can restrict access by limiting administrators to one session. This solution also makes it easy to track a malicious RDP.
RDP defaults should be configured in Group Policy Options and applied through Active Directory and the resources used in the domain should be individually established to combat threats. In addition, it is necessary to keep an eye on other risks:
Vulnerabilities found in RDP versions: IT teams need to be informed about security updates that must be applied to prevent hackers from exploiting the IT environment.
For the end user not to become an attack vector, it is extremely important to manage and limit the RDP clients allowed in its environment. The reason for this is that the risk can be extended to the RPD host server if the client has a vulnerability.
It is of utmost importance to ensure third-party solutions using RDP have the licenses required by Microsoft for the use of this protocol in an environment. This way, one can avoid violating their licensing agreement by compromising their technology.
RPD and SSH Vulnerabilities The increase in remote work during the Covid-19 pandemic has created a number of vulnerabilities when it comes to RPD and SSH. This is indicated by a report produced by Edgescan, which compiles data from thousands of security assessments and analyzes known common vulnerability and exposure (CVEs) metrics, malware, ransomware, and services exposed on internal and public-facing systems.
According to the CEO and founder of Edgescan, Eoin Keary, the sixth edition of the report allows investigating underlying data and identifying vulnerabilities used by countries and cyber criminals, pointing out that correction and maintenance are still a challenge. The report has also shown that more than 65% of the vulnerabilities found by Edgescan systems in 2020 are more than three years old, 32% being from 2015 or earlier, which points to the lack of attention when correcting them.
The most widespread critical risk CVE found was CVE-2018-0598, which allows the attacker to obtain privileges through a Trojan horse DLL in an unspecified directory. According to Edgescan, when analyzing malware-related CVEs, it was possible to notice many are located on systems that are not Internet-oriented, which shows us there is no trend focused on internal vulnerabilities.
This behavior increases the risk of targeted spear phishing or social engineering attacks, with the risk of ransomware and data theft.
Despite the problems associated with vulnerabilities, the report also showed positive trends. One of them is related to the number of systems analyzed with more than 10 CVEs, which fell from 15% in 2019 to 4% in 2020, as a result of system updates and improvements in patch maintenance due to the growth in asset profiling services. Protecting RDP and SSH in the Cloud Whether you choose RDP or SSH, you can use a cloud directory service to ensure more security, manage SSH key pairs, or secure RDP ports.
Thus, you can implement multiple-factor authentication in VMs and Windows systems and VPNs through RADIUS.
One capability of the cloud directory service is to manage public SSH key pairs so that end users manage their private key pairs without relying on administrators.
History of SSH
The first computers were the size of a conference room and needed thousands of mechanical parts to run simple commands. Over time, they became smaller, with easy-to-use interactive terminals.
In the 1960s, mainframes emerged, and in the 1970s and 1980s, network computing became popular and the use of remote access began to enable connection to central computers.
In that period, the connection was secure, since centralized networks were isolated from each other only physically. In the 1960s, the Telnet protocol began to be used for private control of larger private networks and even for the public Internet. However, Telnet did not provide complete security and lost space for SSH, failing to be installed as default on the Linux system.
Previously, networks used to be isolated in an organization, and devices stayed within a protected physical space. Thus, it was not so risky to share sensitive data – such as passwords – through messages, unlike what happens today with the public Internet. TCP packets can be intercepted and easily read if not encrypted, which makes them insecure.
In the 1980s, rlogin started to be used to access remote systems with or without passwords and performed better than Telnet, working properly with commands and characters that, in Telnet, needed to be translated.
Despite this, rlogin also presented vulnerabilities, with flaws that were mentioned in a 1998 report by Carnegie Mellon, rlogin: The Untold Story. This solution used plain text communications and allowed for identity fraud.
Designed by Helsinki University of Technology researcher Tatu Ylönen, who would later launch the cybersecurity company SSH Communications Security, the first version of SSH was released in 1995.
This version, which is now considered outdated, presented several flaws over time and was replaced by SSH-2, which acquired a Standards Track specification by the Internet Engineering Task Force (IETF) in 2006.
Unlike SSH-1, SSH-2 uses a Diffie-Hellman key exchange and integrity check based on message authentication codes used to provide more security.
Advanced Encryption Standard (AES) and Blowfish are among the most commonly used encryption methods by SSH clients and servers.
Although its first version was developed as freeware with free licensing, SH Communications Security Corporation started marketing this solution using alternative forks.
The most well-known fork is OSSH, developed by the programmer Bjoern Groenvall and used for the OpenBSD project.
It consists of a secure and free version of BSD UNIX and the developers improved OSSH to include it in version 2.6 of OpenBSD in 1999. After that, it was adopted for all major versions of Linux and is currently used worldwide in POSIX-compatible operating systems.
SSH-2 has no known vulnerability, but information leaked in 2013 by systems analyst Edward Snowden suggests that the National Security Agency (NSA) may decrypt some SSH traffic.
Some extra settings may provide more security to SSH, but all of them require a restart of the service to work. Check it out:
Disabling password-based SSH authentication to prevent brute-force password attack attempts;
Disabling remote login of the root account or using it only when it is necessary to work as root, logging in with a normal account and then directing to the root account;
Authorizing SSH only for users, enabling and disabling access, when necessary;
Changing the default SSH port from 22 to another number, avoiding attacks from hackers looking for servers responding on port 22.
More than ten years ago, SSH became standard among remote access protocols, and since then, internet connection has undergone many changes. For low latency and secure connections, SSH is still extremely useful due to its speed and ease of use.
However, when we talk about high-latency environments, such as mobile network connections, this is not the most recommended solution as it generates connection delays. For that, there is another option: Mosh, or Mobile Shell.
This mechanism establishes an initial connection to then synchronize the local session with a remote session through UDP.
Mosh also optimizes UTF-8 support and can be used on operating systems similar to Posix, as well as running on Google Chrome.
留言