CVE-2024-6387 is a critical vulnerability in OpenSSH that impacts systems using the glibc library. This vulnerability allows remote code execution (RCE) as root for unauthenticated users by exploiting a flaw in the default configuration of OpenSSH, particularly related to the LoginGraceTime parameter. Immediate action is required to secure your systems. This article provides a step-by-step guide to mitigate this vulnerability and enhance your overall SSH security.

Steps to Mitigate CVE-2024-6387

1. Update OpenSSH and glibc

Ensure that you are running the latest versions of OpenSSH and the glibc library, as security patches may have been released to address this vulnerability.

Debian-based Systems

Open a terminal and run the following commands:

sudo apt update
sudo apt upgrade openssh-server libc6

RPM-based Systems

Open a terminal and run the following commands:

sudo yum update openssh-server glibc

Regularly check your distribution’s advisories for specific instructions and updates.

2. Modify SSH Configuration

After updating, you need to modify your SSH configuration to reduce the risk of exploitation.

Edit sshd_config

Locate and edit the OpenSSH server configuration file, typically found at /etc/ssh/sshd_config.

1. Reduce LoginGraceTime: Lower the LoginGraceTime parameter to minimize the window for potential exploitation. The default is usually set to 2 minutes; reducing it to 30 seconds is advisable.

   LoginGraceTime 30

2. Disable Root Login: If root login is not necessary, disable it to enhance security.

   PermitRootLogin no

3. Restrict User Access: Ensure that only necessary users have SSH access.

   AllowUsers specific_user

3. Implement Additional Security Measures

Further secure your SSH access by implementing these additional measures:

Key-based Authentication

Switch from password-based authentication to SSH key-based authentication:

PasswordAuthentication no
PubkeyAuthentication yes

Two-Factor Authentication

Enable two-factor authentication (2FA) for SSH access to add an extra layer of security.

Restrict IP Access

Use firewall rules to restrict SSH access to specific IP addresses or networks.

Using ufw on Ubuntu

sudo ufw allow from <trusted_ip> to any port 22

Using firewalld on CentOS/RHEL

sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="<trusted_ip>" port port=22 protocol=tcp accept'
sudo firewall-cmd --reload

4. Monitor and Audit

Regularly monitor and audit your SSH access to detect any unusual activities.

1. Monitor SSH Logs: Regularly check SSH logs for any unauthorized login attempts:

   sudo tail -f /var/log/auth.log

2. Implement Intrusion Detection Systems (IDS): Use IDS to detect and alert on suspicious activities.

5. Additional Hardening

Further harden your SSH server with the following measures:

Install and Configure fail2ban

fail2ban can automatically block IP addresses that show malicious signs.

sudo apt install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

6. Stay Informed

Stay up-to-date with the latest security updates and advisories:

• OpenSSH Security Advisory: OpenSSH Security

• National Vulnerability Database (NVD): NVD

• Ubuntu Security Notices: USN

• Red Hat Security Data: Red Hat

Conclusion

By following these steps, you can mitigate the risks associated with CVE-2024-6387 and enhance the security of your SSH configuration. Regular updates, configuration changes, and additional security measures are crucial in protecting your systems from potential exploits. Stay vigilant and informed to ensure your infrastructure remains secure.

The post Mitigating CVE-2024-6387: A Comprehensive Guide appeared first on Hivelocity Hosting.

First login to https://my.hivelocity.net go to Services & Hardware, next click the Cloud Storage button at the top. Once you are in the Cloud Storage page you will see Login Details.

You will need your Login Details to mount your Cloud Storage in Windows.

1. Install .net 2 – 3.5 in Windows 2012 it is a feature .net 3.5
2. Download and install Microsoft Visual C ++ 2005 SP1 redistributable Package from here https://www.microsoft.com/downloads/details.aspx?familyid=200B2FD9-AE1A-4A14-984D-389C36F85647
3. Download and install Dokan from here https://dokan-dev.net/wp-content/uploads/DokanInstall_0.6.0.exe on Windows 2012 right click on the exe file and set it to Windows 7 Compatibility I could not get it to install with out doing this.
4. Download and extract dokan-sshfs to your c: drive then run DokanSSHFS
5. Configure DokanSSHFS

Host: cloudstorage1.hivelocity.net or cloudstorage2.hivelocity.net

User: Cloud storage login name

Password: Cloud Storage Password

Drive: Select the drive letter you want in Windows.

Now you are done and you can use your cloud storage in Windows like a normal drive letter.

The post Windows SSH Mount How To appeared first on Hivelocity Hosting.

Here Protocol 2 needs to be used which is more secure.

Refer the following steps for the same:-

1) vi /etc/ssh/sshd_config
2) Change Protocol 2,1 to Protocol 2
4) PermitRootLogin yes = no
5) Restart SSHD: /etc/rc.d/init.d/sshd restart

The post How to secure your SSH? appeared first on Hivelocity Hosting.

a.You will have to generate ssh key pairs for your connection .

b. You can do so using the ssh-keygen command. You should run it on the command prompt. You will be asked for a file where the key should be saved .And also for a password for the key. Below is an example:

user@localhost: ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_dsa.
Your public key has been saved in id_dsa.pub.
The key fingerprint is:
16:8e:e8:f2:1d:c9:b9:cf:43:9a:b3:3c:c1:1f:95:93 user@localhost

This will create a private key saved/stored to /home/user/.ssh/id_dsa and a public key saved to /home/user/.ssh/id_dsa.pub. The passphrase is used to protect your key. You will be asked for it when you connect via SSH.

Initial ip address is already added to server firewall. If you want to use another ip address for SSH and whm access, then you should request it to be added in the firewall

c.Once you have generated your public and private SSH keys, you should add the public key through your WHM. For that, log in to your WHM admin panel and go to Manage SSH Keys located in the Security section. Click the Import Key button. Type in a name and a password for the key and paste your public key in the corresponding field. Here you don’t paste your private key. Click Import to import your key.

You can now ssh to your Dedicated Server.

d. You should load your private SSH key using the following command:

user@localhost: ssh-add /home/user/.ssh/id_dsa
Enter passphrase for id_dsa:
Identity added: id_dsa (id_dsa)

(The password is the same as the one you have set during the generation of the SSH key.)

Once you have entered the passphrase you can initiate an SSH connection:

user@localhost: ssh <USER>@<HOSTNAME> -p<PORT>

– <USER> – root – the user for which you want to establish the SSH connection. Since your account is hosted on a dedicated server you can login using the “root” account

– <HOSTNAME> (or IP address) – here you should enter the hostname/IP of the Dedicated Server.

– <PORT> – the port for the connection;

Press “Enter” and if its all correct, you will establish an SSH connection to your account.

The post How to Enable SSH for Dedicated Server on Linux ? appeared first on Hivelocity Hosting.

To create a backup of your individual cPanel account using SSH, just follow these steps:

1. First, log in to SSH as the Root user.
2. Next, enter the following command string on the command line interface:

   /scripts/pkgacct username
   
   

3. A backup of your account will be created and stored in the directory you are currently in.

Restoring a cPanel Backup via SSH

To restore a previously created backup of your cPanel account, just follow these steps:

1. First, if you haven’t already, log in to SSH as the Root user.
2. Navigate to the directory containing your backup file. *Note: In order to restore your data, you must be in the correct directory.
3. Next, to restore your cPanel backup, enter the following command into the command line:

   /scripts/restorepkg username

And there you have it!

Popular Links

Looking for more information on cPanel? Search our Knowledge Base!

Interested in more articles about Control Panels? Navigate to our Categories page using the bar on the left or check out these popular articles:

• How to Fix Invalid cPanel License Error When the IP is In Fact Licensed
• How to Increase PHP Upload Limit on a cPanel Server
• How to Add a Subdomain in Plesk 12

Popular tags within this category include: cPanel, WHM, Plesk, DirectAdmin, and more.

Don’t see what you’re looking for? Use the search bar at the top to search our entire Knowledge Base.

The Hivelocity Difference

Seeking a better Dedicated Server solution? In the market for Private Cloud or Colocation services? Check out Hivelocity’s extensive list of products for great deals and offers.

With best-in-class customer service, affordable pricing, a wide-range of fully-customizable options, and a network like no other, Hivelocity is the hosting solution you’ve been waiting for.

Unsure which of our services is best for your particular needs? Call or live chat with one of our sales agents today and see the difference Hivelocity can make for you.

The post How to Backup and Restore cPanel Accounts via SSH appeared first on Hivelocity Hosting.

1. First, you will need to add the user. In the following example we will use the user name “admin”. The command adduser will automatically create the user, initial group, and home directory. We will then specify that we want to add admin to the “wheel” group. For this example, use the following command:
    
   sudo adduser admin && sudo usermod -aG wheel admin 
    
   
    
   To review the group parameters for the user:
    
   id admin
    
   
    
   To view the content of the /home directory made for the user you’ve just created:
    
   ls -lad /home/admin/
    
   
    
2. Now that the user “admin” been created, we need to set their password using the passwd command. When prompted, type and then retype the password.
    
   passwd admin
    
   
    
3. Next, ssh to the server with the new admin user and ensure that the login works.
    
   ssh admin
    
   
    
4. Now, verify that you can su (switch user) to root with the admin user.
    
   sudo su
    
   

   And to confirm that you are now working as the root user, use the following command:
    
   whoami
    
   
    
   

5. Edit /etc/ssh/sshd_config with your favorite text editor and change “PermitRootLogin yes” to “PermitRootLogin no”.
    
   nano /etc/ssh/sshd_config
    
   
    
6. Finally, restart the service with either:
    
   systemctl restart sshd
    
   
    
   or
    
   service sshd restart
    
   

The post Disable root Logins via ssh on Redhat appeared first on Hivelocity Hosting.

The post Why Use OpenSSH? appeared first on Hivelocity Hosting.

It is strongly recommended to use OpenSSH to remotely login into the system.

The post What is OpenSSH? appeared first on Hivelocity Hosting.

or:
# /etc/init.d/sshd restart

On FreeBSD systems there is often an init script located in /etc/rc.d :
# /etc/rc.d/ssh restart

In any case, you can just send the sshd process a sighup:
# kill -s HUP `ps aux | grep sshd | awk ‘{ print $2 }’`

As far as the settings concerning security, the first to look at is the port which SSHD listens on. There is a lot of debate on this matter, but often it is recommended to change the default port away from 22 to a random unprivileged port, the higher the better. While a simple port scan will still find SSHD running on a server, moving the default port will field many automated probes and brute-force attempts. To change this, find the following line:
Port 22

And simply change the 22 as previously mentioned. You can limit the address which sshd listens on with the “ListenAddress” directive. Typically this is commented out by default; if you have several IP’s available to you, you could tell it to only listen on one which is being used for nothing else, or you could set it to only listen on an IPv6 address:
ListenAddress xx.xx.xx.xx

Next is the “Protocol” directive, which tells SSHD what protocol to allow. Protocol 1 is deprecated and known for its many security issues, so this should be limited to protocol 2:
Protocol 2

The “HostKey” settings typically include both RSA and DSA keys for protocol 2, and may also include an RSA key for protocol 1. DSA keys are currently considered more secure, so by removing the protocol 2 RSA setting you force the daemon to use the DSA key. The “PermitRootLogin” directive is another which should be set to “no”. This means you will have to ssh in as a regular use, then use the “su -” command to become root. It also means no one else can ssh into your server as root:
PermitRootLogin no

It is also highly desirable to setup key-based authentication. With PKI, a three-way challenge-response handshake is used, and if you also specify a passphrase during key creation, this complicates matters even more. Full details on setting this up can be found in the ssh-keygen manpage:
$ man ssh-keygen

Of course, if you’re connecting from a windows machine, the setup may be rather more complex. You’ll want to consult the documentation provided with the SSH client which you’re using to connect. Another setting of interest is “PasswordAuthentication”. With PKI setup and this set to “yes”, logging in via the standard password is still permitted for those who do not have a key infrastructure in place. Setting this to “no” forces PKI. While PKI is not the only option for replacing plaintext passwords, it is a good, strong method. There is also Kerberos, GSAPI, and PAM can also be added as another mechanism. For information, consult the sshd_config manpage:
$ man sshd_config

The post How can I secure / increase the security of SSH? appeared first on Hivelocity Hosting.

1. First, backup the current configuration and use your favorite editor to change the Port line:

   root@root [~]# cd /etc/ssh/
   root@root [/etc/ssh]# cp sshd_config sshd_config.save
   root@root [/etc/ssh]# vi sshd_config

2. Now, locate the following line:

   #Port 22

3. For this example, we’ll set it to port 4000, by replacing “Port 22” with “Port 4000“. *Note: Do not forget to remove the comment (#).

   Port 4000

   root@root [/etc/ssh]# diff sshd_config sshd_config.save
   13c13
   < Port 4000
   —
   > #Port 22
   root@root [/etc/ssh]#

4. Lastly, restart sshd and verify that it is now listening on the new port.

   root@root [/etc/ssh]# /etc/init.d/sshd restart
   Stopping sshd: [ OK ]
   Starting sshd: [ OK ]
   root@root [/etc/ssh]# netstat -anp | grep sshd
   tcp 0 0 0.0.0.0:4000 0.0.0.0:*
   LISTEN 1605/sshd

And there you have it! You can set the port number to whichever port you prefer, but keep in ming that port numbers between 0 and 1,023 are reserved for existing system services. For this reason, you’re typically better off choosing a number above Port 1023.

Popular Links

Looking for more information on SSH? Search our Knowledge Base!

Interested in more articles about Web Hosting? Navigate to our Categories page using the bar on the left or check out these popular articles:

• DNS Configuration: Everything You Need to Know
• What is Cron Job?
• How to Resolve Error 421 Service Not Available and Other Issues with FTP Service

Popular tags within this category include: DNS, FTP, IIS, MX Records, and more.

Don’t see what you’re looking for? Use the search bar at the top to search our entire Knowledge Base.

The Hivelocity Difference

Seeking a better Dedicated Server solution? In the market for Private Cloud or Colocation services? Check out Hivelocity’s extensive list of products for great deals and offers.

With best-in-class customer service, affordable pricing, a wide-range of fully-customizable options, and a network like no other, Hivelocity is the hosting solution you’ve been waiting for.

Unsure which of our services is best for your particular needs? Call or live chat with one of our sales agents today and see the difference Hivelocity can make for you.

The post How Can I Change the Port SSH Listens On? appeared first on Hivelocity Hosting.

1. First, backup the sshd_config file, then edit it with your favorite editor.
2. Now, to limit the IPs sshd listens on, you need to change the ListenAddress configuration line:

   root@root [~]# cd /etc/ssh/
   root@root [/etc/ssh]# cp sshd_config sshd_config.save
   root@root [/etc/ssh]# vi sshd_config
   root@root [/etc/ssh]# diff sshd_config sshd_config.save
   15c15
   < ListenAddress 10.0.0.1
   —
   > #ListenAddress 0.0.0.0

3. Next, restart sshd and verify that it’s listening on the specified address:

   root@root [/etc/ssh]# /etc/init.d/sshd restart
   Stopping sshd: [ OK ]
   Starting sshd: [ OK ]
   root@root [/etc/ssh]# netstat -anp | grep sshd
   tcp 0 0 10.0.0.1:22 0.0.0.0:* LISTEN 1718/sshd

4. If you want sshd to listen on more than one address, then add additional ListenAddress lines to the configuration file:

   root@root [/etc/ssh]# diff sshd_config sshd_config.save
   15,16c15
   < ListenAddress 10.0.0.1
   < ListenAddress 10.0.0.2
   —
   > #ListenAddress 0.0.0.0

   root@root [/etc/ssh]# /etc/init.d/sshd restart
   Stopping sshd: [ OK ]
   Starting sshd: [ OK ]
   root@root [/etc/ssh]# netstat -anp | grep sshd
   tcp 0 0 10.0.0.1:22 0.0.0.0:* LISTEN 1884/sshd
   tcp 0 0 10.0.0.2:22 0.0.0.0:* LISTEN 1884/sshd

And there you have it!

Popular Links

Looking for more information on SSH? Search our Knowledge Base!

Interested in more articles about Web Hosting? Navigate to our Categories page using the bar on the left or check out these popular articles:

• DNS Configuration: Everything You Need to Know
• What is Cron Job?
• How to Resolve Error 421 Service Not Available and Other Issues with FTP Service

Popular tags within this category include: DNS, FTP, IIS, MX Records, and more.

Don’t see what you’re looking for? Use the search bar at the top to search our entire Knowledge Base.

The Hivelocity Difference

Seeking a better Dedicated Server solution? In the market for Private Cloud or Colocation services? Check out Hivelocity’s extensive list of products for great deals and offers.

With best-in-class customer service, affordable pricing, a wide-range of fully-customizable options, and a network like no other, Hivelocity is the hosting solution you’ve been waiting for.

Unsure which of our services is best for your particular needs? Call or live chat with one of our sales agents today and see the difference Hivelocity can make for you.

The post Can I Limit the IP(s) that sshd Listens On? appeared first on Hivelocity Hosting.