|Applies To||RSA Product Set: NetWitness Platform|
RSA Product/Service Type: Security Analytics Server
RSA Version/Condition: 188.8.131.52, 11.3.x
|Issue||Vulnerability ID: Q38726|
Required CVSS Base Score: 5
Required CVE ID: CVE-2018-15473
Required CVE Link: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15473
Required Vulnerability Name: OpenSSH Username Enumeration Vulnerability
Required Vulnerability Description: OpenSSH (OpenBSD Secure Shell) is a set of computer programs providing encrypted communication sessions over a computer network using the SSH protocol. A username enumeration vulnerability exists in OpenSSH, that a remote attacker could leverage to enumerate valid users on a targeted system. The attacker could try to enumerate users by transmitting malicious packets. Due to the vulnerability, if a username does not exist, then the server sends a SSH2_MSG_USERAUTH_FAILURE message to the attacker. If the username exists, then the server sends a SSH2_MSG_SERVICE_ACCEPT before calling fatal() and closes the connection.
Mitigation from Redhat for CVE-2018-15473 is as below :
Configuring your firewall to limit the origin and/or rate of incoming ssh connections will limit the impact of this attack, as it requires a new TCP connection for each username tested. This configuration also provides some protection against brute-force attacks on SSH passwords or keys.
Below is the firewall rule to block an SSH brute force attack. It limits the number of connections by rate-limiting requests to SSH.
Implementation Steps :
Step 1: SSH to the service
Step 2: Run below command to insert iptables rules. This rule will block an IP if it attempts more than 4 connections per minute to SSH.
Here the "--hitcount 4" and "--seconds" which is 60 can be configured as per requirement.
Step 3: Save the iptables rule by running below command
Step 4: Restart iptables service by running below command