SSH Private Key
Service Name: SSH (Secure Shell)
Service Description: SSH (Secure Shell) is a cryptographic network protocol used for secure communication over an unsecured network. It provides a secure channel over an unsecured network by using public-key cryptography to authenticate the remote computer and allow it to authenticate the user.
Service Address: N/A (SSH is a protocol, not a specific service with a single address)
Validation Type: NHI Enriched
IP Allow list: IP restrictions can be configured at the server level through SSH configuration files (e.g., /etc/ssh/sshd_config) using AllowUsers, AllowGroups, or TCP wrappers.
Secret Access Scope: Grants access to remote systems and servers that have the corresponding public key configured for authentication.
Secret Revokement URL: Does not exist (revocation is done by removing the public key from authorized_keys file on target systems)
Secret Example:
Suspicious Activity Investigation Instructions:
- Check system logs for unauthorized SSH login attempts using this key
- Review authentication logs (e.g., /var/log/auth.log) for suspicious login patterns
- Verify the IP addresses that have successfully authenticated using this key
- Check for unusual login times or locations
- Monitor for file transfers or command executions that seem abnormal
- Review the list of systems where this key has been authorized
Mitigation Instructions:
-
Generate a new SSH key pair to replace the compromised key -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEA1QezWKNHtMgaGFxnJQqR9tJwN4XQJyJsI+zHEVxJeYKYQm8l 3JZmuA0YY9EqhZcNxzO9RpMFRt9jR9yDvHxmPCG6hV4XWLYFZWVj2T0kKzXn1OZy O1Iki/7BCIzxoN+6VDmEE5ZjJjWCZlgRKQPcDmCA1LQtKGGcOKu3FPDi+0+UIGFH F9nICnl1rIaJSVQEHj5vYQK5sTYNeBPHvqZbEd9buXHOgMJG/oC+3nU0qYBuGlPm 7DpExZqYJsUJXVIgHnKLGjPIFJYYSCXHQPxg9hEcs3Z3BUBk8Ql1AaPIrEEQXq+V 2OVYfQNtKCXsQxXPUfEo0iHgNx0lFTXD9jY3CQIDAQABAoIBAQCVBxEzr+mIvC5z BVDDu64ysnItmmaQFOsL/GTJGrpS9YCOC7TgZYV7Oq5LG9F7FBBtPUf85LvZpQjM 7HSQVpjr9GiBXKWX0EglZ/+vhMRImZZB7X9qmAl4nQwKMirr/fQPRWyBNgJ7VE2v LxaELHJQPxw/j0QF0FPxKJEf1eJ4cVpLrBPZ1/TT5lXMFhxYjRgK5Y/hfe0j6Qpz VQnQxkCfIFo8KPNYs1xgECQh5g4LBXVBjYhFLBAwMzqMJFUVVnMwZ7bUQnGJTWOQ XfElVMQCfVNrjnFXkBNI5VtgVKHgAKg1GYHZZW1kxNUNhJLcjXwYpRUtK9EJlRjZ YnxPzWABAoGBAPdFnQJKG/1hKr3eVtNQBNTnj8q4TPXYVo3Tf5eSIGy7QnXrZ0X0 eZ9YfAjXDzYGKvLSQT2Jl1MTu6MQpjQU3bcpbBpTnSWwAalIQlNPKWMKFc2kJw3Q Xn4/cIx/8H/GdYy9oQmvLNxj7rLBBnDYmX/OxjwkgI5ABD1BoP1ABzZJAoGBANxw LLEfQtAKPuEOyKJ8V+lX+u0oMzMJVIw+v8EiN8m3wHI8JJDz/JrTJFxHu5vKCvVd VLFSe76grantDQ3Ye9rOrQSf6H4fj6igNvJCRkc0TRT7FfZFUEDHuPlvwbKLFxeV CjR9+OLzxY0GUxPfBdnZjbQOyPaJJEE/mFfVSYlBAoGADioDUWQM5QzlMfYVQQEJ JGYmFxNKrLnBwO8C9qMVMXx7qCQfLwuHIgM6KPi+vcZIwUVCYkGnCduS9SpBOTXr gKXlVW9C3cJnbxJbQYT6+YGK9XUqUGkxJBCrVOaX1zIuDEmCPzIWyxAp/ndTQxnO zUPSKcGfQDW9NLJa8K5LXCECgYEAusjBqvUkKqrePGHM2ODyqmiPz4Z5FJxHZG/A 2Wb/FVvNEjPRMa5n6CKzKwNEw+oUZWnQ8KZsqfHKJNbrJeZkGkOVYBQWvQnZ3zAv +qAh5ZQQyXQFc7VazjNWJpGCE0dZYdg+p8WNHQYxoQFDYQUvIKQvMmcSvdwnqZHT Gg0YVAECgYAqJAuGBMi1wadTR6oOLPjj7BaM2q0MCwXjXsZJi9A7UmhOGjlfhEUV I5ZBXxYPi+W9qDjDX4wR9u+HoJ3aeRDJDYIDBD3JYpHu0UtO2a3zJDRiMEQKvHdZ ehYCzfgY9ibmxPV80fUVbCgUjEtbPGCvD5vQz3HzMzIKQJQwHFdI7Q== -----END RSA PRIVATE KEY-----
-
Remove the compromised public key from all authorized_keys files on all
systems
- Add the new public key to authorized_keys files on systems that require access
- Consider implementing passphrase protection for the new private key
- Implement IP-based restrictions in SSH configuration where possible
- Consider implementing multi-factor authentication for SSH access
- Review and update SSH configuration settings to enhance security
- Monitor for any continued unauthorized access attempts