Skip to main content
Packetlabs Company Logo
Blog

Importance of SSH Security

Authored By Packetlabs

|
Importance of SSH Security

GoDaddy, one of the world's largest domain registrars with more than 19 million customers and approximately 77 million managed domains, recently disclosed a GoDaddy data breach affecting users with web hosting accounts. Although the security incident took place on October 19, 2019, it was only discovered on April 23, 2020. Despite the significant gap between the event and discovery, this is not unusual and is a clear demonstration of the importance of SSH security.

One can read the initial email filed with the California Department of Justice that GoDaddy sent to notify its customers, which also forced a password reset on affected customers.

GoDaddy Data Breach Impact

According to the initial GoDaddy email, the remote access breach only impacted GoDaddy's hosting accounts. Upon further investigation in May 2020, compromised remote access credentials in GoDaddy's hosting environment may affect at least 28,000 customers. The GoDaddy CISO and VP of Engineering, Demetrius Comes, revealed that this incident was a result of suspicious activity on GoDaddy servers. Unauthorized individual(s) obtained access through the SSH service. On Linux systems, this is the predominant protocol administrators use to manage and perform administrative and maintenance-related tasks.

The lesson to be learned from this GoDaddy breach is perhaps best summed up by analysts from Venafi Inc., a privately held cybersecurity company.

The GoDaddy breach underlines just how important SSH security is.

Venafi Inc.

Security for remote access into a company's environment or critical servers is vital. The SSH security service used to remotely access critical servers for an enterprise is no exception. Clients often ask us whether changing the port the remote access protocol runs on would be sufficient. We explain that this information can easily be deduced by a variety of tools. Dedicated attackers can run port scans or review services that collect port scans over time (e.g., Shodan).

We've compiled a concise list to ensure access to your organization's servers is locked down:

  • Disable root login

  • Limit max authentication attempts

  • Block SSH brute force attacks automatically (SSHGuard, Fail2ban, or DenyHosts)

  • Keep SSH patched and updated

  • Disable empty passwords

  • Mandate the use of key over password authentication

  • Mandate the use of only SSHv2

  • Expose the SSH service only to the required users

  • Disable X11Forwarding

  • Implement multi-factor authentication

  • Disable weak key exchanges and ciphers

  • Perform a regular audit of the authorized_keys and SSH logs

This is not meant to be an exhaustive list, but rather the security minimums that network administrators and critical system owners should be aware of.

Being Proactive: Your Organization's SSH Security

In the wake of a never-ending stream of security incidents against public and private companies, you must increase efforts to protect your own organization. Another lesson from the GoDaddy breach is that the attackers were in GoDaddy's hosting environment and network for approximately six months. Developing a strong security program for your organization often involves a planned and deliberate patching strategy and process, thorough testing, and active monitoring of critical systems. This can help minimize the risk of a breach and spot attackers lurking in your network before it's too late.

How We Can Help

Here at Packetlabs, we specialize in penetration testing. Through the expert utilization of both internal penetration testing and external testing activities, we will perform thorough checks to determine what management access protocols are exposed, and how they can be leveraged by an adversary. This information can then be used to develop a comprehensive security strategy. Contact us today to learn more about SSH security or to engage in a productive discussion on how we can assist your organization's development of a proactive approach to cybersecurity.

Join our newsletter. Uncover exploitable weaknesses before attackers do. Book your discovery call with our team of Offensive Security experts. Contact Us

Q&A

Question: What happened in the GoDaddy data breach and who was affected?

Short answer: GoDaddy disclosed that attackers gained unauthorized access to its hosting environment via SSH on October 19, 2019, a breach that wasn’t discovered until April 23, 2020. The incident affected hosting accounts (not domain registrar accounts) and ultimately impacted at least 28,000 customers. GoDaddy notified affected users and forced password resets as part of its response.

Question: Why does this incident underscore the importance of SSH security?

Short answer: SSH is the primary protocol administrators use to manage Linux servers and perform maintenance. When attackers obtain SSH access, they can potentially control critical systems. The GoDaddy case shows that such access can remain undetected for months, which is why hardening SSH, limiting exposure, and actively monitoring for suspicious activity are vital.

Question: Is changing the default SSH port enough to secure remote access?

Short answer: No. Attackers can easily discover non-standard ports using port scans or by consulting scan-aggregation services like Shodan. Port changes may reduce noise but are not a security control. Organizations need layered defenses such as strong authentication, access restrictions, and monitoring to meaningfully reduce risk.

Question: What minimum SSH hardening steps should organizations implement?

Short answer: At a minimum, implement the following controls:

  • Disable root login

  • Limit maximum authentication attempts

  • Automatically block brute-force attempts (e.g., SSHGuard, Fail2ban, DenyHosts)

  • Keep SSH patched and updated

  • Disable empty passwords

  • Require keys over passwords

  • Allow only SSHv2

  • Expose SSH only to required users (and networks)

  • Disable X11Forwarding

  • Implement multi-factor authentication (MFA)

  • Disable weak key exchanges and ciphers

  • Regularly audit authorized_keys and SSH logs

Question: Beyond SSH configuration, what proactive steps reduce breach risk, and how can Packetlabs help?

Short answer: Build a strong security program with a deliberate patching and testing process and active monitoring of critical systems to detect intrusions early—GoDaddy’s attackers persisted for about six months before discovery. Packetlabs can help by conducting internal and external penetration testing to identify exposed management access, demonstrate how adversaries could leverage it, and provide guidance for a comprehensive security strategy.

Contact Us

Join our newsletter

Uncover exploitable weaknesses before attackers do.

Book your discovery call with our team of Offensive Security experts.

Packetlabs Company Logo
  • Toronto | HQ401 Bay Street, Suite 1600
    Toronto, Ontario, Canada
    M5H 2Y4
  • San Francisco | Outpost580 California Street, 12th floor
    San Francisco, CA, USA
    94104
  • Calgary | Outpost421 - 7th Ave SW, Suite 3000
    Calgary AB, Canada
    T2P 4K9
  • Australia | OutpostPacketlabs Pty Ltd.
    ABN 14 691 178 542
    Level 24, 1 O'Connell St
    Sydney NSW 2000
Cyber Right NowCREST LogoCREST AI Signatory AICPA SOC 2 LogoG2Clutch 2023 Certification Logo