6

I have a newly installed (and updated) Centos 7 server I use for testing.

I implemented RSA key based authentication for ssh and set PermitRootLogin to without-password

When I logged on this morning I ran netstat -plant and found a couple of established connections on port 22 from China and France.

I find it hard to believe that a 4096 bit rsa key can be cracked within the space of one evening.

Are there any exploits / vulnerabilities that can be used to circumvent key-based authentication with OpenSSH?

Is key-based auth the best option to allow access with SSH? What are the alternatives?

Son of Sam
  • 77
  • 1
  • 8

3 Answers3

5

When I logged on this morning I ran netstat -plant and found a couple of established connections on port 22 from China and France.

How long did you see them for?

If you have an SSH server on the Internet, people are going to be constantly scanning for it and attempting dictionary attacks of common passwords. So systems will connect, try multiple passwords, and have enforced delays between tries as your system wants to limit brute force attacks.

All this means is TCP connections "established" for seconds or even minutes. They aren't authenticated SSH sessions, they're just TCP connections.

Here, look:

$ netstat -tn | grep :22 | egrep -v "[my address]"
tcp        0   1080 192.168.1.2:22         123.183.209.136:25690   ESTABLISHED
tcp        0      1 192.168.1.2:22         123.183.209.136:40117   FIN_WAIT1

a couple minutes later:

$ netstat -tn | grep :22
tcp        0   1080 192.168.1.2:22         123.183.209.136:48456   ESTABLISHED

In the first snapshot we see that there's one established session, and one still being torn down. A couple minutes later, there's a new session (notice the client port has changed to 48456). So this person is constantly opening a TCP connection, trying to authenticate, and when that connection gets shut down for too many tries they just open another one.

I find it hard to believe that a 4096 bit rsa key can be cracked within the space of one evening.

Are there any exploits / vulnerabilities that can be used to circumvent key-based authentication with OpenSSH?

Is key-based auth the best option to allow access with SSH? What are the alternatives?

Don't panic yet. Watch the connections; unless you see one last for a significant period of time you probably don't have to worry.

You can also check last output to see if anyone is actually logging in, and correlate their source address (e.g., don't worry about logins from the IP you log in from):

$ last
gowenfawr pts/0        192.168.1.3      Thu Aug  3 18:55   still logged in
gowenfawr pts/0        172.16.43.21     Thu Aug  3 03:29 - 03:29  (00:00)
gowenfawr pts/0        172.16.43.21     Thu Aug  3 03:19 - 03:29  (00:09)
gowenfawr pts/0        172.16.43.21     Thu Aug  3 03:04 - 03:06  (00:02)
gowenfawr pts/1        192.168.1.3      Wed Aug  2 19:44 - 21:09  (01:25)

wtmp begins Wed Aug  2 19:44:26 2017

Although, of course, if someone did compromise your system, you couldn't trust last or netstat anyway.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
4

RSA keys are sufficiently secure for the foreseeable future, and 4096 bit might even be overkill.

If you're worried you could look into setting up something like fail2ban, but if you don't allow password authentication and you have RSA keys with >= 2048 bits you're fine.

I expect if you check your auth logs you'll find a lot of authentication failures from those addresses, and that's pretty normal. Right now my public facing ssh server has a 14MB auth log, with over 82,000 failed login attempts for root:

sudo grep -i root /var/log/auth.log -c
82023
AndrolGenhald
  • 15,436
  • 5
  • 45
  • 50
1

As long as you set it up properly, the key was not cracked.

If they are only showing up in netstat then they are probably just on the SSH login prompt.

Make sure to disable tunnelled clear text passwords in your /etc/ssh/sshd_config file to prevent normal password logins. Make sure you have another way to get into your server if you lose your keys.

PermitRootLogin should be set to no. You should not be logging in as root, especially over SSH. Use another account with sudo access.

SSH key authentication is the best way to authenticate to an SSH server, especially an SSH server that is exposed to the internet. There is also software that implements two-factor authentication to SSH logins using Google Authenticator. This is something worth looking into.

jamieweb
  • 425
  • 1
  • 3
  • 10
  • It's impossible to say with certainty whether the key was cracked or not. It's *possible* (though incredibly unlikely) that a hacker got lucky and cracked it on their first try. – jvriesem Feb 15 '18 at 20:34