Mitigating CVE-2024-6387: A Comprehensive Guide

Introduction

CVE-2024-6387 is a critical vulnerability in OpenSSH that impacts systems using the glibc library. This vulnerability allows remote code execution (RCE) as root for unauthenticated users by exploiting a flaw in the default configuration of OpenSSH, particularly related to the LoginGraceTime parameter. Immediate action is required to secure your systems. This article provides a step-by-step guide to mitigate this vulnerability and enhance your overall SSH security.

Steps to Mitigate CVE-2024-6387

1. Update OpenSSH and glibc

Ensure that you are running the latest versions of OpenSSH and the glibc library, as security patches may have been released to address this vulnerability.

Debian-based Systems

Open a terminal and run the following commands:

sudo apt update
sudo apt upgrade openssh-server libc6

RPM-based Systems

Open a terminal and run the following commands:

sudo yum update openssh-server glibc

Regularly check your distribution’s advisories for specific instructions and updates.

2. Modify SSH Configuration

After updating, you need to modify your SSH configuration to reduce the risk of exploitation.

Edit sshd_config

Locate and edit the OpenSSH server configuration file, typically found at /etc/ssh/sshd_config.

1. Reduce LoginGraceTime: Lower the LoginGraceTime parameter to minimize the window for potential exploitation. The default is usually set to 2 minutes; reducing it to 30 seconds is advisable.

   LoginGraceTime 30

2. Disable Root Login: If root login is not necessary, disable it to enhance security.

   PermitRootLogin no

3. Restrict User Access: Ensure that only necessary users have SSH access.

   AllowUsers specific_user

3. Implement Additional Security Measures

Further secure your SSH access by implementing these additional measures:

Key-based Authentication

Switch from password-based authentication to SSH key-based authentication:

PasswordAuthentication no
PubkeyAuthentication yes

Two-Factor Authentication

Enable two-factor authentication (2FA) for SSH access to add an extra layer of security.

Restrict IP Access

Use firewall rules to restrict SSH access to specific IP addresses or networks.

Using ufw on Ubuntu

sudo ufw allow from <trusted_ip> to any port 22

Using firewalld on CentOS/RHEL

sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="<trusted_ip>" port port=22 protocol=tcp accept'
sudo firewall-cmd --reload

4. Monitor and Audit

Regularly monitor and audit your SSH access to detect any unusual activities.

1. Monitor SSH Logs: Regularly check SSH logs for any unauthorized login attempts:

   sudo tail -f /var/log/auth.log

2. Implement Intrusion Detection Systems (IDS): Use IDS to detect and alert on suspicious activities.

5. Additional Hardening

Further harden your SSH server with the following measures:

Install and Configure fail2ban

fail2ban can automatically block IP addresses that show malicious signs.

sudo apt install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

6. Stay Informed

Stay up-to-date with the latest security updates and advisories:

• OpenSSH Security Advisory: OpenSSH Security

• National Vulnerability Database (NVD): NVD

• Ubuntu Security Notices: USN

• Red Hat Security Data: Red Hat

Conclusion

By following these steps, you can mitigate the risks associated with CVE-2024-6387 and enhance the security of your SSH configuration. Regular updates, configuration changes, and additional security measures are crucial in protecting your systems from potential exploits. Stay vigilant and informed to ensure your infrastructure remains secure.