SSL & SSH Security: Common Attacks & Fixes

TL;DR

This guide covers common attacks against SSL (now TLS) and SSH, and how to protect your systems. We’ll focus on practical steps you can take now.

SSL/TLS Attacks & Prevention

1. Man-in-the-Middle (MitM) Attacks: An attacker intercepts communication between a client and server.
   
   • Prevention: Use HTTPS everywhere. Ensure valid SSL certificates are installed and properly configured. Regularly check certificate expiry dates.
   • Check Certificate Validity: Use tools like OpenSSL to verify the certificate chain:

     openssl s_client -connect yourdomain.com:443

2. POODLE Attack (Padding Oracle On Downgraded Legacy Encryption): Exploits vulnerabilities in older SSLv3 protocol.
   
   • Prevention: Disable SSLv3 entirely on your server. Most modern servers do this by default, but double-check your configuration.
   • Apache Configuration Example: In your Apache config file (e.g., httpd.conf or a virtual host file):

     SSLProtocol All -SSLv3

3. Heartbleed Attack: Exploits a bug in the OpenSSL library to leak sensitive data.
   
   • Prevention: Keep your OpenSSL library up-to-date. This vulnerability is patched in newer versions. Regularly update your server’s packages.
   • Check OpenSSL Version: Run:

     openssl version

4. Logjam Attack: Weakens encryption by forcing the use of weaker Diffie-Hellman keys.
   
   • Prevention: Use strong Diffie-Hellman parameters (at least 2048 bits). Disable export ciphers.

SSH Attacks & Prevention

1. Brute-Force Attacks: Attackers try many passwords to gain access.
   
   • Prevention: Use strong, unique passwords. Even better, use SSH keys instead of passwords.
   • Disable Password Authentication: Edit /etc/ssh/sshd_config and set:

     PasswordAuthentication no

     Restart the SSH service after making changes (e.g., sudo systemctl restart sshd).

2. Key-Based Authentication: More secure than passwords.
   
   • Generate Key Pair: On your local machine:

     ssh-keygen -t rsa -b 4096

   • Copy Public Key to Server: Use ssh-copy-id user@server_ip.
3. Port Scanning & Exploitation: Attackers scan for open SSH ports and attempt to exploit vulnerabilities.
   
   • Prevention: Change the default SSH port (22) to a non-standard port. This won’t stop targeted attacks, but it reduces automated scans.
   • Edit /etc/ssh/sshd_config and change:

     Port 22

     to something else (e.g., Port 2222). Restart the SSH service.

4. SSH Protocol Version 1 Vulnerabilities: Older versions of SSH have known security flaws.
   
   • Prevention: Disable SSH protocol version 1 and only allow version 2.

     Protocol 2

     in /etc/ssh/sshd_config.

5. Session Hijacking: Attackers try to steal active SSH sessions.
   • Prevention: Use strong encryption ciphers and key exchange algorithms. Regularly review your sshd_config file for optimal settings. Consider using tools like fail2ban (see below).