Are you worried about blackhat ssh announcement?

Black Hat 2024: Secure Shells in Shambles [pdf]

discussed on

Thinking about a cron job to disable ssh this week and re-enable next week :slight_smile:

No I'm not worried, but then I don't expose SSH to the internet.

2 Likes

Also see:

1 Like

I am not worried because of the same reason as krazeh, many of use tell people not to expose SSH to the internet but use a proper VPN e.g. WireGuard or OpenVPN etc.
This is not the first time

1 Like

Doesn't the default openWRT install leave SSH listening on WAN interface?

Absolutely not!

The process is listening in general but firewalled.

screen818

You can alter the interface listening behavior, but have to still ensure you've firewalled if IP_Forwarding is enabled (i.e. the default OpenWrt setting).

screen819

2 Likes

Oh right. there's the default firewall rule :slight_smile:

1 Like

is wireguard -> ssh, much better than no-shell-jumphost-ssh -> ssh?

it's functionally the same, even more so if you use ssh CA. I see the benefit of needing exploits in two places instead of one, but the disadvantage that now you have to maintain/configure/harden/audit/watch logs of two different things too.

Seems like the only thing possible with dropbear is to test 4k keys per minute and dropbear doesn't support the defense which is PerSourcePenalties feature which is missing.

So unless you have users who publish keys elsewhere there's not much to worry.

Did I miss something else?

It's not just that it's two places, it's that Wireguard has a significantly smaller attack surface.

SSH is actually a massive protocol that is described in four different RFCs 4251, 4252, 4253, and 4254. All this amounts to 103 PDF pages. And that's not including RFC updates such as 8308, 8709, and 9142, etc. and those not currently described in a RFC such as OpenSSH's strict key exchange extension.

Wireguard on the other hand is completely described in 20 pages. Of course, this isn't a completely fair comparison because SSH has way more features. On the other hand, Wireguard having less features is what contributes to its ease-of-use, which leads to far fewer opportunities for misconfiguration.

1 Like