Priveon Labs Security Blog

Reports of a possible OpenSSH vulnerability surfaced via the SANS ISC today. Reports are not confirmed at this point although if you're running a version of OpenSSH older than 5.2, you should upgrade anyway due to previously known vulnerabilities.

Whether the reports are confirmed or not, this might be a good time to periodically review security controls. For example, if you're not using a strong password for SSH implementations, then a 0day vulnerability is only one of your OpenSSH security concerns. Protocols like SSH are meant to provide confidentiality/integrity - they do not usually actively prevent brute force, dictionary, or endpoint attacks without additional configuration (of course this varies depending upon distribution and implementation).

A control that can be deployed alongside SSH security is the concept of port knocking. Port knocking uses the KnockD port-knock server to hide SSH from unauthorized connections. Basically the process firewalls the SSH listener until a connection (SYN) is made to a specific series of ports in a given time period. Once the port connections have been made, the SSH server will respond only to the IP that originated the "knock." By randomizing the order and timing of the "knock" ports, the SSH daemon is still hidden from unauthorized hosts performing portscans.

A good example of how to implement port knocking (KnockD) for both OpenBSD and linux can be found on Mark Sanborn's blog:

http://www.marksanborn.net/linux/add-port-knocking-to-ssh-for-extra-security/