Skip to content

SSH Private Key

Service Name: SSH (Secure Shell)

Service Description: SSH (Secure Shell) is a cryptographic network protocol used for secure communication over an unsecured network. It provides a secure channel over an unsecured network by using public-key cryptography to authenticate the remote computer and allow it to authenticate the user.

Service Address: N/A (SSH is a protocol, not a specific service with a single address)

Validation Type: NHI Enriched

IP Allow list: IP restrictions can be configured at the server level through SSH configuration files (e.g., /etc/ssh/sshd_config) using AllowUsers, AllowGroups, or TCP wrappers.

Secret Access Scope: Grants access to remote systems and servers that have the corresponding public key configured for authentication.

Secret Revokement URL: Does not exist (revocation is done by removing the public key from authorized_keys file on target systems)

Secret Example:

Suspicious Activity Investigation Instructions:

  • Check system logs for unauthorized SSH login attempts using this key
  • Review authentication logs (e.g., /var/log/auth.log) for suspicious login patterns
  • Verify the IP addresses that have successfully authenticated using this key
  • Check for unusual login times or locations
  • Monitor for file transfers or command executions that seem abnormal
  • Review the list of systems where this key has been authorized

Mitigation Instructions:

  • Generate a new SSH key pair to replace the compromised key -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEA1QezWKNHtMgaGFxnJQqR9tJwN4XQJyJsI+zHEVxJeYKYQm8l 3JZmuA0YY9EqhZcNxzO9RpMFRt9jR9yDvHxmPCG6hV4XWLYFZWVj2T0kKzXn1OZy O1Iki/7BCIzxoN+6VDmEE5ZjJjWCZlgRKQPcDmCA1LQtKGGcOKu3FPDi+0+UIGFH F9nICnl1rIaJSVQEHj5vYQK5sTYNeBPHvqZbEd9buXHOgMJG/oC+3nU0qYBuGlPm 7DpExZqYJsUJXVIgHnKLGjPIFJYYSCXHQPxg9hEcs3Z3BUBk8Ql1AaPIrEEQXq+V 2OVYfQNtKCXsQxXPUfEo0iHgNx0lFTXD9jY3CQIDAQABAoIBAQCVBxEzr+mIvC5z BVDDu64ysnItmmaQFOsL/GTJGrpS9YCOC7TgZYV7Oq5LG9F7FBBtPUf85LvZpQjM 7HSQVpjr9GiBXKWX0EglZ/+vhMRImZZB7X9qmAl4nQwKMirr/fQPRWyBNgJ7VE2v LxaELHJQPxw/j0QF0FPxKJEf1eJ4cVpLrBPZ1/TT5lXMFhxYjRgK5Y/hfe0j6Qpz VQnQxkCfIFo8KPNYs1xgECQh5g4LBXVBjYhFLBAwMzqMJFUVVnMwZ7bUQnGJTWOQ XfElVMQCfVNrjnFXkBNI5VtgVKHgAKg1GYHZZW1kxNUNhJLcjXwYpRUtK9EJlRjZ YnxPzWABAoGBAPdFnQJKG/1hKr3eVtNQBNTnj8q4TPXYVo3Tf5eSIGy7QnXrZ0X0 eZ9YfAjXDzYGKvLSQT2Jl1MTu6MQpjQU3bcpbBpTnSWwAalIQlNPKWMKFc2kJw3Q Xn4/cIx/8H/GdYy9oQmvLNxj7rLBBnDYmX/OxjwkgI5ABD1BoP1ABzZJAoGBANxw LLEfQtAKPuEOyKJ8V+lX+u0oMzMJVIw+v8EiN8m3wHI8JJDz/JrTJFxHu5vKCvVd VLFSe76grantDQ3Ye9rOrQSf6H4fj6igNvJCRkc0TRT7FfZFUEDHuPlvwbKLFxeV CjR9+OLzxY0GUxPfBdnZjbQOyPaJJEE/mFfVSYlBAoGADioDUWQM5QzlMfYVQQEJ JGYmFxNKrLnBwO8C9qMVMXx7qCQfLwuHIgM6KPi+vcZIwUVCYkGnCduS9SpBOTXr gKXlVW9C3cJnbxJbQYT6+YGK9XUqUGkxJBCrVOaX1zIuDEmCPzIWyxAp/ndTQxnO zUPSKcGfQDW9NLJa8K5LXCECgYEAusjBqvUkKqrePGHM2ODyqmiPz4Z5FJxHZG/A 2Wb/FVvNEjPRMa5n6CKzKwNEw+oUZWnQ8KZsqfHKJNbrJeZkGkOVYBQWvQnZ3zAv +qAh5ZQQyXQFc7VazjNWJpGCE0dZYdg+p8WNHQYxoQFDYQUvIKQvMmcSvdwnqZHT Gg0YVAECgYAqJAuGBMi1wadTR6oOLPjj7BaM2q0MCwXjXsZJi9A7UmhOGjlfhEUV I5ZBXxYPi+W9qDjDX4wR9u+HoJ3aeRDJDYIDBD3JYpHu0UtO2a3zJDRiMEQKvHdZ ehYCzfgY9ibmxPV80fUVbCgUjEtbPGCvD5vQz3HzMzIKQJQwHFdI7Q== -----END RSA PRIVATE KEY-----

  • Remove the compromised public key from all authorized_keys files on all

systems

  • Add the new public key to authorized_keys files on systems that require access
  • Consider implementing passphrase protection for the new private key
  • Implement IP-based restrictions in SSH configuration where possible
  • Consider implementing multi-factor authentication for SSH access
  • Review and update SSH configuration settings to enhance security
  • Monitor for any continued unauthorized access attempts