SSH private keys: How do threat actors find exposed keys? (original) (raw)

Cybersecurity vendor Wordfence reported a rise in scans for SSH private keys that are often accidentally exposed to the public. Learn how to stay protected with Nick Lewis.

Cybersecurity vendor Wordfence recently reported that it detected a spike in scanning for SSH private keys. How can threat actors find these keys? What should enterprises do to protect them?

When people, including me, are in a hurry, they often take shortcuts or don't look closely at specific details. While it's impossible to know all of the ways that something can be abused -- especially when dealing with something you might not fully understand -- you might make mistakes.

One instance where this might happen is when a web developer uploads software to a new server and accidentally includes and exposes his or her SSH keys to the internet. While the exposure of SSH keys is usually an accident, attackers have figured out how to scan for them.

Wordfence recently released a blog about this type of incident and how they have seen an increase in scanning. Threat actors can find SSH keys the same way that everyone else finds information on the internet -- by using a search engine.

An example of this includes the following search in Google: "filetype:key"-----BEGIN RSA PRIVATE KEY-----"site:" where is replaced with a specific website name in order to find any SSH private keys uploaded to that website. This search can be modified to be more open-ended or even customized to search the content on your website. The file system of a server can be searched to identify any SSH private keys and make sure any permissions are set correctly.

Enterprises should educate their IT staff to protect their SSH private keys with methods such as password usage, the removal of any public access to SSH private keys and ensuring that they are securely using SSH. Likewise, Wordfence has their own scanner that will scan for SSH private keys on a website.

Ask the expert: Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Dig Deeper on Data security and privacy

• How to use PuTTY for SSH key-based authentication By: Damon Garn
• git@github: permission denied (PublicKey) SSH error fix By: Cameron McKenzie
• How to setup SSH in GitHub by example By: Cameron McKenzie
• GoDaddy's response to 'multi-year' breach criticized By: Arielle Waldman

Related Q&A from Nick Lewis

Explore benefits and challenges of cloud penetration testing

Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ...Continue Reading

What are the best criteria to use to evaluate cloud service providers?

Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and...Continue Reading

What is the best way to write a cloud security policy?

Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ...Continue Reading