Black Hat 2024: Secure Shells in Shambles [pdf]
discussed on
Thinking about a cron job to disable ssh this week and re-enable next week
Black Hat 2024: Secure Shells in Shambles [pdf]
discussed on
Thinking about a cron job to disable ssh this week and re-enable next week
No I'm not worried, but then I don't expose SSH to the internet.
Also see:
I am not worried because of the same reason as krazeh, many of use tell people not to expose SSH to the internet but use a proper VPN e.g. WireGuard or OpenVPN etc.
This is not the first time
Doesn't the default openWRT install leave SSH listening on WAN interface?
Absolutely not!
The process is listening in general but firewalled.
You can alter the interface listening behavior, but have to still ensure you've firewalled if IP_Forwarding is enabled (i.e. the default OpenWrt setting).
Oh right. there's the default firewall rule
is wireguard -> ssh, much better than no-shell-jumphost-ssh -> ssh?
it's functionally the same, even more so if you use ssh CA. I see the benefit of needing exploits in two places instead of one, but the disadvantage that now you have to maintain/configure/harden/audit/watch logs of two different things too.
Seems like the only thing possible with dropbear is to test 4k keys per minute and dropbear doesn't support the defense which is PerSourcePenalties feature which is missing.
So unless you have users who publish keys elsewhere there's not much to worry.
Did I miss something else?
It's not just that it's two places, it's that Wireguard has a significantly smaller attack surface.
SSH is actually a massive protocol that is described in four different RFCs 4251, 4252, 4253, and 4254. All this amounts to 103 PDF pages. And that's not including RFC updates such as 8308, 8709, and 9142, etc. and those not currently described in a RFC such as OpenSSH's strict key exchange extension.
Wireguard on the other hand is completely described in 20 pages. Of course, this isn't a completely fair comparison because SSH has way more features. On the other hand, Wireguard having less features is what contributes to its ease-of-use, which leads to far fewer opportunities for misconfiguration.