Accelerated by the COVID-19 pandemic, remote work has seen a considerable boost in recent years, making many people understand what RPD and SSH are in practice, as they need to apply these protocols in industries.
However, with increased remote access, exposure to cyber threats has also grown, making it even more important to establish a secure connection between users and workstations or endpoints.
In this sense, one of the main risks is associated with user authentication, which can allow malicious attackers to exploit vulnerable resources and sensitive data within an organization.
Another concern is related to endpoint security, as unprotected RDP endpoints are the primary target of cybercriminals.
So, by reading this article, you will see what RPD and SSH are, understand how these protocols work, and how to protect your company from the vulnerabilities created by remote access.
Our text is divided into the following topics:
- What Does SSH Mean?
- How Does SSH Work?
- What Is SSH Used For?
- Benefits of SSH
- Best Security Practices for SSH
- Cyberattack Cases with SSH Keys
- What Is RDP, and How Does It Work?
- What Is RDP Used For?
- Benefits of RDP
- What Is the Difference Between SSH and RDP?
- Best Security Practices for RDP
- RPD and SSH Vulnerabilities
- Protecting RDP and SSH in the Cloud
- History of SSH
- About senhasegura
Enjoy the reading!
What Does SSH Mean?
SSH is the acronym for Secure Shel and consists of a protocol developed to access Linux servers, which can also be used in other operating systems.
This protocol presents the command line interface normally controlled through the bash and, unlike RPD, it does not have a GUI.
How Does SSH Work?
SSH relies on the client/server authentication model and replaces traditional credentials with public and private keys, which work respectively as a lock and the key used to access it.
Generally, private SSH keys are stored on systems, while public keys remain on servers.
SSH provides more security to the authentication process than a username associated with a default password, since it uses 2048-bit encryption on its keys.
What Is SSH Used For?
SSH is used to remotely access a hosting account and execute commands. With this protocol, one can:
- Start and stop services;
- Run live monitoring log files;
- Install software on the account; and
- Manage MySQL databases, among other activities.
Moreover, SSH allows one to make a standard web-based graphical interface and, as the user learns to use its commands, they can manage their account more quickly.
Benefits of SSH
SSH makes it possible to encrypt data, preventing your user information and passwords from being accessed by malicious attackers. Here’s what SSH can protect your company from:
IP Source Routing by Malicious Agents
Generally, source routing is used for positive purposes, but when it fails, it can be a cybercriminal resource to make one machine think it is communicating with another.
Attacks with DNS Counterfeiting
In this type of attack, malicious users enter information into the cache database and a Domain Name System (DNS) name server. In this way, traffic is diverted to another computer, since the name server returns to an incorrect IP address.
With that, those who have access to this computer can get confidential information, which they can use to take advantage of.
Manipulation of Data in Routers
In this type of action, the hacker obtains or changes data on routers or other intermediaries on the way to its destination. It is common for routers, whose data enters a kind of gateway during the network route.
An organization without a connection allows hackers to view data, collecting sensitive information for a variety of purposes.
A hacker can create packages with IP addresses from fake sources. Thus, they can use a computer that remains with the hidden identity and location, while the receiver believes it is interacting with another IP.
Best Security Practices for SSH
Some practices may improve the security of the SSH service. These are:
- Malicious attackers use port scanning software to detect whether the computer is using the SSH service. However, most port scanners do not analyze high ports. Therefore, we suggest that you change port 22, served by SSH, to a port above 1024.
- The SSH protocol can be used in two versions, but the first one generates security vulnerabilities, opening spaces for insertion attacks and man-in-the-middle attacks. For this reason, it is recommended to use only version 2.
- To avoid cyber threats, do not allow the root user to log in via the SSH protocol. This is because if this user’s account is compromised, the attacker can cause more damage to your system than if they could gain access as an ordinary user.
- Create a custom banner for users who connect through the SSH protocol to view specific messages. These messages can be used to inform the user they are accessing a private SSH service.
- Replace logins and password names with the DSA public key for authentication, as using the public key allows you to protect your IT system from dictionary attacks.
- Use TCP Wrappers to ensure that only specific hosts connect to your SSH service or use your iptables configuration for this purpose.
Cyberattack Cases with SSH Keys
In recent times, many hackers have used SSH machine identity resources to conduct cyberattacks.
This means that gangs with access to the dark web can make use of the same techniques that brought down Ukraine’s power grid against government sectors.
Thus, they can sell SSH backdoors to Advanced Persistent Threat (APT) groups associated with certain countries for high figures.
SSH keys can be used by malicious attackers to gain unauthorized access to critical systems and perform various actions, such as:
- Bypassing security controls;
- Inserting fraudulent information;
- Compromising the encryption software; or
- Installing persistent malware.
Most of the time, the malware inserts the cybercriminal’s SSH key among the authorized keys on the victim’s computer, which ensures their permanence on that machine.
In addition, in other cases, the malware weakened SSH authentication, which enabled access to credentials and host information to move through the network and infect other computers.
Check out some malware campaigns that use the identity of SSH machines:
- TrickBot: Initially used to steal bank account login data, over the years, TrickBot has expanded and become useful for the performance of cybercriminals in various types of corporate environments.
It is a module-based malware, which incorporates network profile features and mass data collections, in addition to allowing lateral movement.
Its capabilities allow one to extract information from compromised computers and steal credentials in browsers, Outlook clients, and Windows.
- CryptoSink: This illicit XMR cryptocurrency mining campaign discovered in 2019 allowed attackers to compromise target systems by exploiting a vulnerability of Elasticsearch systems on Windows and Linux platforms.
For this, it was necessary to add the public key to the authorized key file on the victim’s computer.
- Worm Linux: This malware attacks Exim email servers on Unix-link systems and delivers them to Monero cryptocurrency miners.
To do this, it enables the SSH server, if it is disabled, and creates a backdoor by adding its SSH public key.
- Skidmap: In this case, the attacker’s public key is added to the authorized key file to give backdoor access to a target computer.
To gain root or administrative access to the system and eliminate crypto mining malware, exploits, internet exposure, or incorrect settings are used.
In addition to the cases reported so far, between 2015 and 2017, a teenager gained access to Apple’s internal systems and copied data and authentication keys. According to the court, the boy had downloaded 90 GB of files and affected customer accounts, which was denied by Apple.
Also, according to the court, he sent a computer script to the system, creating a secure shell tunnel, which allows access to systems, bypasses firewalls, and removes data faster.
In this way, it was possible to access internal security policies and save authentication keys.
According to information from SSH.COM and the inventor of the Secure Shell protocol, Tatu Ylönen, SSH tunnels are widely used in corporate environments, but in combination with the use of stolen SSH keys, they become very difficult-to-track attack vectors.
What Is RDP, and How Does It Work?
Remote Desktop Protocol (RDP) is an old, widespread protocol and therefore the target of constant attacks.
Used to access Windows virtual machines and physical servers, it does not work on the Linux system and has an interface that makes servers more accessible to users with or without technical training.
Generally, RDP ports need to be connected to the Internet, which generates vulnerabilities because of hacker action. For this reason, administrators must protect their RDP instances.
What Is RDP Used For?
RDP enables the user to connect to a computer by remote access using Microsoft Terminal Services.
In general, this tool is used by users to access machines outside the environment, where they are installed to perform activities such as configuration and maintenance.
In addition, RDP is very useful for companies operating via remote work, a service model adopted by many institutions after the beginning of the Covid-19 pandemic.
Benefits of RDP
Like SSH, RDP provides several benefits for those who adopt this protocol. Check out some of them:
With RDP, you can securely access your files and documents due to the encryption of connections to your remote desktop, which reduces the risk of losing data through malicious attacks and physical theft.
Another important benefit provided by RDP is the freedom to work from anywhere and at any time. For this, just rely on a computer and internet access.
Excellent Value for Money
Using this feature, it is not necessary to purchase licenses for multiple computers, as all can be accessed remotely through a single software.
What Is the Difference Between SSH and RDP?
These two resources are used for the same purpose: accessing computers and other servers remotely. Moreover, RPD and SSH provide security when accessing cloud-based servers.
Despite their similarities, RPD and SSH differ in some aspects. First, SSH is more secure than RPD, which requires the use of tools to generate more protection, such as a virtual private network (VPN) and multiple-factor authentication (MFA).
This is because it is easier to compromise credentials than key pairs, which does not mean there is no need for appropriate measures to protect private keys.
Another difference is that SSH is technically more complex than RDP. Therefore, many organizations choose the second, especially those that have new IT professionals or smaller teams.
Best Security Practices for RDP
The RDP protocol provides security in ideal environments, but to avoid problems such as unauthorized sessions and improper access, it is necessary to go beyond its default settings and ensure a higher level of maturity for IT security.
This is because RDP provides only a baseline for encryption, which does not guarantee complete security for internal and external operations.
Thus, the first security rule to be followed when it comes to RDP is not to leave the service exposed on the Internet for access, being used only on a local network, regardless of the system protection and endpoints.
Do you want to know how to protect RDP for internal use properly? Start with what is known about its default settings:
- Allowing access to local or domain administrators by enabling RDP on Windows Hosts is not a best practice as it does not comply with the principle of least privilege. In this sense, the ideal is that only default user accounts receive RDP access only for the time necessary to perform a certain task, and this session must be monitored from start to finish through a privilege management tool such as PAM.
- If the above recommendation is not followed, it is of utmost importance that local domain or machine administrator accounts be named with something difficult to decipher. Otherwise, a malicious attacker might have access to this account. What’s more: we also recommend that RDP as an administrator is not routinely used for remote work demands, but only when its use is indispensable.
- RDP also requires network-level authentication so that credentials are not sent to a domain controller or remote host without proper encryption. Moreover, it is necessary to use the strongest encryption available so that the key strength is not negotiated through a domain controller.
- The RDP protocol allows the content to be cut, copied, and pasted from remote systems to connection devices and vice versa by redirecting the clipboard, which can cause vulnerabilities related to system data extraction.
- Another feature offered by RDP servers refers to the redirection of printers to remote access sessions, which may allow the printing of sensitive data and introduce malicious drivers into the IT environment.
- Windows servers allow the user to start multiple RDP sessions, but if they are disconnected, they cannot reconnect to the previous one when starting a new session, generating data and productivity losses. To mitigate this issue, one can restrict access by limiting administrators to one session. This solution also makes it easy to track a malicious RDP.
RDP defaults should be configured in Group Policy Options and applied through Active Directory and the resources used in the domain should be individually established to combat threats. In addition, it is necessary to keep an eye on other risks:
- Vulnerabilities found in RDP versions: IT teams need to be informed about security updates that must be applied to prevent hackers from exploiting the IT environment.
- For the end user not to become an attack vector, it is extremely important to manage and limit the RDP clients allowed in its environment. The reason for this is that the risk can be extended to the RPD host server if the client has a vulnerability.
- It is of utmost importance to ensure third-party solutions using RDP have the licenses required by Microsoft for the use of this protocol in an environment. This way, one can avoid violating their licensing agreement by compromising their technology.
RPD and SSH Vulnerabilities
The increase in remote work during the Covid-19 pandemic has created a number of vulnerabilities when it comes to RPD and SSH. This is indicated by a report produced by Edgescan, which compiles data from thousands of security assessments and analyzes known common vulnerability and exposure (CVEs) metrics, malware, ransomware, and services exposed on internal and public-facing systems.
According to the CEO and founder of Edgescan, Eoin Keary, the sixth edition of the report allows investigating underlying data and identifying vulnerabilities used by countries and cyber criminals, pointing out that correction and maintenance are still a challenge.
The report has also shown that more than 65% of the vulnerabilities found by Edgescan systems in 2020 are more than three years old, 32% being from 2015 or earlier, which points to the lack of attention when correcting them.
The most widespread critical risk CVE found was CVE-2018-0598, which allows the attacker to obtain privileges through a Trojan horse DLL in an unspecified directory.
According to Edgescan, when analyzing malware-related CVEs, it was possible to notice many are located on systems that are not Internet-oriented, which shows us there is no trend focused on internal vulnerabilities.
This behavior increases the risk of targeted spear phishing or social engineering attacks, with the risk of ransomware and data theft.
Despite the problems associated with vulnerabilities, the report also showed positive trends.
One of them is related to the number of systems analyzed with more than 10 CVEs, which fell from 15% in 2019 to 4% in 2020, as a result of system updates and improvements in patch maintenance due to the growth in asset profiling services.
Protecting RDP and SSH in the Cloud
Whether you choose RDP or SSH, you can use a cloud directory service to ensure more security, manage SSH key pairs, or secure RDP ports.
Thus, you can implement multiple-factor authentication in VMs and Windows systems and VPNs through RADIUS.
One capability of the cloud directory service is to manage public SSH key pairs so that end users manage their private key pairs without relying on administrators.
- History of SSH
The first computers were the size of a conference room and needed thousands of mechanical parts to run simple commands. Over time, they became smaller, with easy-to-use interactive terminals.
In the 1960s, mainframes emerged, and in the 1970s and 1980s, network computing became popular and the use of remote access began to enable connection to central computers.
In that period, the connection was secure, since centralized networks were isolated from each other only physically.
In the 1960s, the Telnet protocol began to be used for private control of larger private networks and even for the public Internet. However, Telnet did not provide complete security and lost space for SSH, failing to be installed as default on the Linux system.
Previously, networks used to be isolated in an organization, and devices stayed within a protected physical space. Thus, it was not so risky to share sensitive data – such as passwords – through messages, unlike what happens today with the public Internet.
TCP packets can be intercepted and easily read if not encrypted, which makes them insecure.
In the 1980s, rlogin started to be used to access remote systems with or without passwords and performed better than Telnet, working properly with commands and characters that, in Telnet, needed to be translated.
Despite this, rlogin also presented vulnerabilities, with flaws that were mentioned in a 1998 report by Carnegie Mellon, rlogin: The Untold Story. This solution used plain text communications and allowed for identity fraud.
Designed by Helsinki University of Technology researcher Tatu Ylönen, who would later launch the cybersecurity company SSH Communications Security, the first version of SSH was released in 1995.
This version, which is now considered outdated, presented several flaws over time and was replaced by SSH-2, which acquired a Standards Track specification by the Internet Engineering Task Force (IETF) in 2006.
Unlike SSH-1, SSH-2 uses a Diffie-Hellman key exchange and integrity check based on message authentication codes used to provide more security.
Advanced Encryption Standard (AES) and Blowfish are among the most commonly used encryption methods by SSH clients and servers.
Although its first version was developed as freeware with free licensing, SH Communications Security Corporation started marketing this solution using alternative forks.
The most well-known fork is OSSH, developed by the programmer Bjoern Groenvall and used for the OpenBSD project.
It consists of a secure and free version of BSD UNIX and the developers improved OSSH to include it in version 2.6 of OpenBSD in 1999. After that, it was adopted for all major versions of Linux and is currently used worldwide in POSIX-compatible operating systems.
SSH-2 has no known vulnerability, but information leaked in 2013 by systems analyst Edward Snowden suggests that the National Security Agency (NSA) may decrypt some SSH traffic.
Some extra settings may provide more security to SSH, but all of them require a restart of the service to work. Check it out:
- Disabling password-based SSH authentication to prevent brute-force password attack attempts;
- Disabling remote login of the root account or using it only when it is necessary to work as root, logging in with a normal account and then directing to the root account;
- Authorizing SSH only for users, enabling and disabling access, when necessary;
- Changing the default SSH port from 22 to another number, avoiding attacks from hackers looking for servers responding on port 22.
More than ten years ago, SSH became standard among remote access protocols, and since then, internet connection has undergone many changes. For low latency and secure connections, SSH is still extremely useful due to its speed and ease of use.
However, when we talk about high-latency environments, such as mobile network connections, this is not the most recommended solution as it generates connection delays. For that, there is another option: Mosh, or Mobile Shell.
This mechanism establishes an initial connection to then synchronize the local session with a remote session through UDP.
Mosh also optimizes UTF-8 support and can be used on operating systems similar to Posix, as well as running on Google Chrome.
- About senhasegura
We, from senhasegura, are part of the MT4 Tecnologia group, and aim to provide cybersecurity and digital sovereignty to our customers.
Today, we work with institutions from 54 countries, acting against data theft and tracking actions on servers, databases, network administrators, and devices in general.
With this, we can provide efficiency and productivity to organizations, as we avoid interruptions of their activities by expiration, in addition to ensuring compliance with audit criteria and standards such as PCI DSS, Sarbanes-Oxley, ISO 27001, and HIPAA.
The senhasegura PAM security platform offers centralized access management to protect and control the use of privileged credentials and service accounts, providing secure storage, access segregation, and full usage traceability.
Moreover, senhasegura allows companies to implement the most strict and complex controls on access to privileged credentials in an automated and centralized manner, protecting the IT infrastructure from data breaches and potential compliance breaches.
The Scan Discovery feature of senhasegura surveys the environment and enables the automated registration of devices and their respective credentials in the solution. The scan can be performed across the entire environment, or applied to a specific network segment. It is also possible to define the search plugins to be used, as well as the device types, credentials, SSH keys, and authorized keys that will be identified. Finally, it is also possible to configure specific periods and traffic shape for the scans to avoid DoS in the network.
The solution can also connect to the network device through its standard protocol and a pool of connectivity ports without the need to install a local agent, and with the possibility of adding a pool of credentials for scanning.
The cases of remote session or password view can respect multilevel approval flows and validation of the explanations provided by the requesting user, and alert them via email or SMS. Responses to requests by the approving user can be made by responding to the email or SMS, in addition to the link included in the message.
One of the main capabilities of senhasegura is the ability to record and store all remote sessions performed through transparent proxies. Session video files have a high compression ratio, allowing you to reduce storage costs and increase performance when generating video files.
The Livestream function allows the Information Security department to track user activities and detect suspicious events in real time, including the possibility to pause or close the user session in a simple and fast way.
Also, an administrator can regain control or even block a remote user session in a number of operating environments or systems. Interactions on Windows can be blocked by Optical Character Recognition (OCR).
All text entries, in addition to logged actions, are indexed along with the video’s session time, allowing one to search for any command. In this way, one can quickly find any command executed during a remote session.
By reading this article, you saw that:
- RDP and SSH are protocols used to protect institutions from risks associated with remote work;
- SSH was developed to access the Linux server, but can be used on other operating system servers;
- This tool relies on the client/server authentication model and replaces traditional credentials with public and private keys;
- SSH is used to remotely access a hosting account and execute commands;
- SSH can protect an organization from: IP source routing by malicious agents, attacks with DNS spoofing, router data manipulation, spying, and IP spoofing;
- One of the best practices for SSH security is to use the 2nd version of the protocol;
- RDP is a very widespread protocol, for this reason, it is the target of frequent attacks;
- Like SSH, it is a tool used to access machines outside the physical environment of a company;
- Its advantages include: connection security, mobility, and value for money;
- SSH is more secure than RPD, but is also more complex in technical aspects;
- To avoid threats, RDP defaults must be configured in Group Policy Options and applied through Active Directory. It is also important to pay attention to factors such as vulnerabilities, customers, and licensing;
- One can hire a cloud directory service to provide more security to RDP and SSH.
Now that you have checked out our RDP and SSH information, share this text with someone else interested in the subject.<
About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
Senhasegura strive to ensure the sovereignty of companies over actions and privileged information. To this end, we work against data theft through traceability of administrator actions on networks, servers, databases and a multitude of devices. In addition, we pursue compliance with auditing requirements and the most demanding standards, including PCI DSS, Sarbanes-Oxley, ISO 27001 and HIPAA.