SSH Authorized Keys

SSH Authorized Keys Analysis in Incident Response (Linux Systems)

SSH key-based authentication offers enhanced security, but attackers often exploit this mechanism to maintain unauthorized access. Understanding how to analyze and secure authorized_keys files is critical during incident response.

1. SSH Key-Based Authentication Overview

  • Public Key: Stored on the server in the ~/.ssh/authorized_keys file.

  • Private Key: Kept on the user's local machine.

  • Purpose: Enables secure, password-less login.

Attack Vector: An attacker who gains access to a user’s account may add their public key to the authorized_keys file, granting persistent access without triggering password authentication.

2. Locating authorized_keys Files

To locate all authorized_keys files on the system:

find / -name 'authorized_keys' 2>/dev/null

This will search all directories and output the paths of any authorized_keys files.

3. Analyzing authorized_keys Files

Inspect the contents of each authorized_keys file to identify suspicious keys:

cat /home/username/.ssh/authorized_keys

Indicators of Compromise:

  • Unknown Keys: Keys that do not belong to legitimate users.

  • Multiple Keys: Excessive or unexplained keys for a single user.

  • Recent Additions: Keys added recently during the suspected compromise timeframe.

  • Unusual Key Comment Fields: Key comments that don't follow the organization's naming conventions or contain unexpected metadata.

4. Cross-Checking Key Additions with Logs

Correlate key additions with system logs to identify unauthorized access:

Syslog:

Look for SSH session activity or configuration changes:

grep sshd /var/log/syslog

Auth Log:

Focus on authentication and session details:

grep sshd /var/log/auth.log

Key indicators:

  • Sudden login activities from unusual IPs.

  • Suspicious user login patterns.

5. Identifying SSH-Accessible Users

Examine the SSH configuration to determine which users can log in via SSH:

cat /etc/ssh/sshd_config

Focus on the following directives:

  • AllowUsers: Lists specific users allowed SSH access.

  • AllowGroups: Lists specific groups allowed SSH access.

  • PermitRootLogin: Check if root access is allowed.

6. Eradication Steps

1. Remove Unauthorized Keys

Manually edit the authorized_keys file to remove suspicious entries:

nano /home/username/.ssh/authorized_keys

Save and close the file after removing unauthorized keys.

2. Temporarily Disable SSH Access (If Necessary)

To prevent attackers from accessing the system during remediation, temporarily disable SSH:

sudo systemctl stop ssh

Re-enable SSH once the system is secured:

sudo systemctl start ssh

3. Regenerate SSH Keys for Legitimate Users

For increased security, require legitimate users to regenerate their SSH key pairs:

Remove old keys:

rm ~/.ssh/id_rsa ~/.ssh/id_rsa.pub

Generate new keys:

ssh-keygen -t rsa -b 4096

Distribute the new public key to necessary servers securely.

7. Post-Incident Actions

1. Harden SSH Configuration

Modify /etc/ssh/sshd_config to improve security:

  • Disable password authentication:

    PasswordAuthentication no

  • Limit user access:

    AllowUsers user1 user2

  • Disable root login:

    PermitRootLogin no

2. Monitor SSH Activity

Set up log monitoring to detect unauthorized SSH activities:

tail -f /var/log/auth.log | grep sshd

3. Implement Multi-Factor Authentication (MFA)

Add an additional layer of security by enabling MFA for SSH using tools like Google Authenticator or Duo.

Key Points

SSH authorized_keys analysis is a crucial step in detecting and eradicating unauthorized access. By systematically reviewing these files, correlating activity with logs, and implementing robust security measures, incident responders can neutralize threats and secure the system against future compromises.

PreviousCron JobNextBash_rc & Bash_profile

Last updated