GoDaddy, reputably, one of the world’s largest domain registrar with upwards of more than 19 million customers and approximately 77 million managed domains recently disclosed a data breach that affects users with web hosting accounts. Although the security incident took place on October 19, 2019, it was only discovered on April 23, 2020! Despite the significant gap between the event and discovery, this is not at all unusual and a clear demonstration of the importance of SSH security. One can read the initial email filed with the California Department of Justice that GoDaddy had to send to notify its customers and forced a password reset on affected customers.
According to the initial GoDaddy email, the breach only impacted GoDaddy’s hosting accounts. Upon further investigation in May 2020, compromised remote access credentials in GoDaddy’s hosting environment may affect at least 28,000 customers. The GoDaddy CISO and VP of Engineering, Demetrius Comes reveals that this breach was a result of suspicious activity on GoDaddy servers. Unauthorized individual(s) obtained access through the SSH service. On Linux systems, this is the predominant protocol administrators used to manage and perform administrative and maintenance related tasks.
The lesson to be learned from this breach is perhaps best summed up by analysts from Venafi Inc., a privately held cybersecurity company.
The GoDaddy breach underlines just how important SSH security is.
Venafi Inc.
Security, in regards to remote access into a company’s environment or a company’s critical servers, is vital. The SSH security service used to remotely access critical servers for an enterprise is no exception here. Clients often ask us whether or not making a change to the port the remote access protocol runs on would be sufficient. We explain that this information can easily be deduced by a variety of tools. Dedicated attackers can run port scans or review services that collect port scans overtime (e.g. Shodan).
We’ve compiled a concise list to ensure access to your organization’s servers are locked down:
Disable root login
Limit max authentication attempts
Block SSH brute force attacks automatically (SSHGuard, Fail2ban, or DenyHosts)
Keep SSH patched and updated
Disable empty passwords
Mandate the use of key over password authentication
Mandate the use of only SSHv2
Expose the SSH service only the required users
Disable X11Forwarding
Implement multi-factor authentication
Disable weak key exchanges and ciphers
Perform a regular audit of the authorized_keys and SSH logs
This is not meant to be an exhaustive list, but rather the security minimums that network administrators and critical system owners should be aware of.
In the wake of a never-ending stream of security incidents against public and private companies, the efforts needed to protect your own organization. Another lesson from the GoDaddy breach is that the attackers were in GoDaddy’s hosting environment and network for approximately 6 months. Developing a strong security program for your organization often involves a planned and deliberate patching strategy and process, thorough testing, and active monitoring of critical systems. This can help minimize the risk of a breach, and spot attackers lurking in your network before it’s too late.
Here at Packetlabs, we specialize in penetration testing. Through the expert utilization of both internal penetration testing and external testing activities, we will perform thorough checks to determine what management access protocols are exposed, and how they can be leveraged by an adversary. This information can then be used to develop a comprehensive security strategy. Contact us today to learn more about SSH security or to engage in a productive discussion on how we can assist your organizations development of a proactive approach to cybersecurity.
October 24 - Blog
Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.
September 27 - Blog
InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.
September 26 - Blog
Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.