Security Notice: OpenSSH Passwords
Last week, an independent security researcher disclosed a new OpenSSH bug that allows attackers to easily brute-force SSH passwords. Worse, this vulnerability affects OpenSSH versions going back to a version of OpenSSH from a 2007 release of the FreeBSD operating system.
Impact:
This bug permits an attacker to control the amount of passwords the attacker can try before OpenSSH closes the connection. By default, OpenSSH will allow only 3 password attempts before closing the connection. Using this vulnerability, an attacker can try as many passwords as the network connection will allow, only limited by “login grace time” which by default is set to 120 seconds. On a data center quality internet connection, an attacker could test 10,000 passwords in this amount of time.
Protecting yourself
There are many mitigation actions you can take right now to protect yourself. First, disable passwords and use cryptographic key login instead.
Second, add two-factor authentication. Not only are you protecting your hosts from brute-force attacks, you are also protecting from a wide number of other attack vectors, including key theft, man-in-the-middle, and stolen credentials. This is one of the best things you can do to improve your login security.
Adding Two-Factor Authentication to your SSH server
By implementing two-factor authentication with your SSH server, you add an extra layer of complexity that protects your account against today’s common threats. Even if you already limit login attempts and use Authorized Keys, Authy two-factor authentication provides the added defense needed to stay safe. And for shared accounts like Root, you’ll have access to log information showing which users in your organization accessed the account.
The 30-second installation
Authy takes only 30 seconds to install and configure (although you can do it faster, we’ve seen it in under 10 seconds). This will quickly and dramatically improve server security. It’s just 7 steps, and you can copy and paste the commands!
- Create your Twilio Account
- Activate and access your Authy API Key
- Get the SSH plugin code
- Install it: sudo bash authy-ssh install /usr/local/bin
- Enable it: sudo /usr/local/bin/authy-ssh enable
whoami
- Test it: authy-ssh test
- Restart your ssh server: sudo service ssh restart
You can also watch our SSH installation video.
Learn More:
Take a deeper dive into the OpenSSH hack test and vulnerability. Then try Authy. Users love how Authy has simplified two-factor authentication. We protect over 10,000 applications and over 1.7 million users from the password breaches happening every day. To join Coinbase, Cloudflare, Twitch, Dell Software and others who have adopted the Authy authentication solution, visit http://www.twilio.com/authy, or contact [email protected].