Example of a Brute Force SSH Attack:

The firewall detects an attempt to probe vulnerabilities against an external facing webserver using myphpadmin. The scanner, known as ZmEu, has been around since 2012. That is typical of attacks, not particularly zero-day.

Brute force SSH attack attempt to guess password and thereby gain access to the underlying OS. This vulnerability has been known since November 2013. It exploits a weakness in OpenSSH 6.2 and 6.3 when built against an OpenSSL that supports AES-GCM as described here.

Verify that OpenSSH on the target machine is properly updated. Schedule and examine results of vulnerability scans periodically. Ensure that patching is conducted purposefully.

Upon closer examination, it seems that conventional wisdom is out of date and inaccurate for even consumer machines running Windows 8 or servers running local SSDs under Server 2008 R2 or higher. As noted here, “Windows does sometimes defragment SSDs, yes, it’s important to intelligently and appropriately defrag SSDs, and yes, Windows is smart about how it treats your SSD.” Thus it’s ok for the defrag command to be scheduled for local disks including SSDs. However, in a SAN array, the defrag function is typically handled at the array level and not by the individual machines connecting to SAN. In this case, this auto scheduled defrag on each server going against SAN array mounted disks in unnecessary, and harmful for SSDs.

Mitigate: Change the default settings in 2008 R2 or 2012 R2 to avoid scheduled defrag of SAN arrays. It’s fine to defrag local SSDs, as Windows is smart about it.

 

Leave a Reply

Your email address will not be published.