GoDaddy, reputably, one of the world’s largest domain registrar with upwards of more than 19 million customers and approximately 77 million managed domains recently disclosed a data breach that affects users with web hosting accounts. Although the security incident took place on October 19, 2019, it was only discovered on April 23, 2020! Despite the significant gap between the event and discovery, this is not at all unusual and a clear demonstration of the importance of SSH security. One can read the initial email filed with the California Department of Justice that GoDaddy had to send to notify its customers and forced a password reset on affected customers.
GoDaddy Breach Impact
According to the initial GoDaddy email, the breach only impacted GoDaddy’s hosting accounts. Upon further investigation in May 2020, compromised remote access credentials in GoDaddy’s hosting environment may affect at least 28,000 customers. The GoDaddy CISO and VP of Engineering, Demetrius Comes reveals that this breach was a result of suspicious activity on GoDaddy servers. Unauthorized individual(s) obtained access through the SSH service. On Linux systems, this is the predominant protocol administrators used to manage and perform administrative and maintenance related tasks.
The lesson to be learned from this breach is perhaps best summed up by analysts from Venafi Inc., a privately held cybersecurity company.
The GoDaddy breach underlines just how important SSH security is.Venafi Inc.
The Importance of SSH Security
Security, in regards to remote access into a company’s environment or a company’s critical servers, is vital. The SSH security service used to remotely access critical servers for an enterprise is no exception here. Clients often ask us whether or not making a change to the port the remote access protocol runs on would be sufficient. We explain that this information can easily be deduced by a variety of tools. Dedicated attackers can run port scans or review services that collect port scans overtime (e.g. Shodan).
We’ve compiled a concise list to ensure access to your organization’s servers are locked down:
- Disable root login
- Limit max authentication attempts
- Block SSH brute force attacks automatically (SSHGuard, Fail2ban, or DenyHosts)
- Keep SSH patched and updated
- Disable empty passwords
- Mandate the use of key over password authentication
- Mandate the use of only SSHv2
- Expose the SSH service only the required users
- Disable X11Forwarding
- Implement multi-factor authentication
- Disable weak key exchanges and ciphers
- Perform a regular audit of the authorized_keys and SSH logs
This is not meant to be an exhaustive list, but rather the security minimums that network administrators and critical system owners should be aware of.
Being Proactive: Your Organizations SSH Security
In the wake of a never-ending stream of security incidents against public and private companies, the efforts needed to protect your own organization. Another lesson from the GoDaddy breach is that the attackers were in GoDaddy’s hosting environment and network for approximately 6 months. Developing a strong security program for your organization often involves a planned and deliberate patching strategy and process, thorough testing, and active monitoring of critical systems. This can help minimize the risk of a breach, and spot attackers lurking in your network before it’s too late.
How We Can Help
Here at Packetlabs, we specialize in penetration testing. Through the expert utilization of both internal penetration testing and external testing activities, we will perform thorough checks to determine what management access protocols are exposed, and how they can be leveraged by an adversary. This information can then be used to develop a comprehensive security strategy. Contact us today to learn more about SSH security or to engage in a productive discussion on how we can assist your organizations development of a proactive approach to cybersecurity.