new SSH exploit is absolutely wild
VloĆŸit
- Äas pĆidĂĄn 2. 07. 2024
- OpenSSH has been rocked by a new RCE vulnerability. But, it may not be as scary as people are making it out to be. Find out why in this video.
blog.qualys.com/vulnerabiliti...
www.qualys.com/2024/07/01/cve...
đ« COURSES đ« Learn to code in C at lowlevel.academy
đ GREAT BOOKS FOR THE LOWEST LEVELđ
Blue Fox: Arm Assembly Internals and Reverse Engineering: amzn.to/4394t87
Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation : amzn.to/3C1z4sk
Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software : amzn.to/3C1daFy
The Ghidra Book: The Definitive Guide: amzn.to/3WC2Vkg
đ„ SOCIALS đ„
Come hang out at lowlevel.tv - VÄda a technologie
haha wouldn't it be cool if you learned C and assembly haha lowlevel.academy
no it wouldnt
Bro can you please tell me how much time it takes to learn assembly language from which you can write your own script exploits and malwares and ransomwares.
And which are the best high level languages which are used to write a malware or ransomwares
no it wouldnt
â@@PrinceKumar-yo9lr It really depends on what you're exploiting. If it's a local vulnerability (one through the operating system) then you'll need to have full control over the arguments you pass to the operating system's APIs. This is best done with a low level language such as C, C++, Zig, or even Rust. If you need *really* fine control, you can use Assembly, but it's not common.
However, must vulnerabilities are rooted in networking. These can be made in any language that has networking capabilities. Rust is my pick, just because of how easy it is to throw some bytes through a socket. POSIX's C sockets take a bit more work to set up than a higher-level TCP stream, but it's way better than Winsock from what I've seen.
However, this all assumes you have a vulnerability to exploit. Vulnerabilities are often patched as soon as they pop up.
Something way cooler than just malicious stuff is "fun" malware, which was away more prevalent back then. It didn't usually do anything super serious, but it would take control of the system and show you something really cool looking. There are some Windows 10 programs that do this with WinGDI (see MEMZ and Chloroform). You could learn to do the same, since it looks really cool. You don't need to exploit anything to make something really cool, just look at Furnace.
@@PrinceKumar-yo9lr 2 minutes and 34 seconds đ
Temple OS is once again not affected? Coincidence?
Too holy to get hacked đ
Not a coincidence.
kowinkydink?
it's GOD'S work my dude
Thats why god uses it
That's why we call it "OpenSSH".
no cap
I still don't get why people open the SSH port when they can use wireguard since if the device is compromised all bets are off anyway
â@@AkivaB Guess it's difficult to maintain the wireguard configuration for all your devices, especially for multiple users - personally I like to use an open source mesh VPN like Tailscale or ZeroTier.
the door is wide open
đ
The creativity of threat hunters will NEVER cease to amaze me
Breakers are one or several steps ahead of builders.
Agreed. People doing this kind of work are fascinating and awesome
There has to be an invisible hand from the intelligence community to plant some of these. I'm not saying that programmers never make mistakes that allow sploits, but those are probably the exception, not the rule.
@@brainites by definition, or they wouldn't be breakers. Sometimes builders can be ahead, as is the case with attempts at quantum computer proof crypto that is being worked on before quantum supremacy is reached.
The lack of creativity of developers will NEVER cease to amaze me
LLL: "It's from 20 years ago, 2006."
Me: "It's not THAT long -- Oh shit..."
Yeah, my mind jumped to the 90s as well
@@mephistovonfaust20 years ago is, and forever shall be, the 80s.
you're old
@@prototypeinheritance515 respect your elders, boyo. ;)
LOL exactly! :-) For me is 10-15 years ago in the 1980s and last year is about 2001. :-)
"Everyone can do it" - Yeah for now nobody was able to do it on a 64 bit system only on 32 bit systems lol.
just was about to comment that "everyone"-line. I doubt my mom could time the attack right.. she always forgets to compensate for latency...
Nor if there's a connection limit via firewall. Even with the biggest botnet it would take forever.
Can I just say this? Thank you Low Level Learning for dark mode. So many yt chanels flash bang me.
Nothing worse than when a CZcamsr bangs you, thatâs for sure
Agreed đ
I wish a CZcamsr bangs me too someday
@@_Salaar_khan đđđ
I think at this point we can update the saying to "the three hardest problems in computer science are cache invalidation, naming things, asynchronous programs and 'Off By 1' errors"
Throw in interrupts like SigAlarm and you got a nightmare.
@99temporal I see what you did there
2B OR â 2B
Bugs like this are part of why I use a pretty aggressive fail2ban. The attacker doesn't get 10,000 tries... instead they get 3 tries or sometimes even less. The bans eventually expire, but instead of hours to get in, it would take decades. Plenty of time to install a fixed version.
You can get nailed on the first try if you're unlucky, or the timing might never work for an attacker. Even 64 bit systems could get catastrophically unlucky. At least it's an easy fix this time.
fail2ban is certainly a useful tool, but I can think of way to potentially dodge it, depending on how it's coded. Like most software, let's assume that it's been written with the assumptions of the IPv4 address space in mind. That is to say, a user is likely to have access to a handful of IP addresses, and can't easily get hold of more unless they are a large company or state actor. However, that's not true for IPv6, where essentially everyone gets access to a 64-bit block as normal practise. So if fail2ban isn't coded to take this into account, and is only banning singular IP addresses, then it's trivial to bypass with IPv6...you just change IP address on every operation. To counter this, fail2ban needs to be IPv6 aware, and ban the whole 64-bit block if just one address in it trips its alarms.
@@parad0xheart There are ways to make it detect and block IP ranges, in both ipv4 and ipv6. It just depends on whether the admin actually bothered.
â@@parad0xheartI'm not sure about fail2ban specifically, but it's standard to block the whole /64 range for IPv6. Each customer / network is supposed to get its own /64, so it makes sense to block the entire range.
@@parad0xheart or you just disable IPv6 for SSH, by setting the protocol to "inet" in ssh config.
oh that is why an openssh update was avaliable.
They patched it already?
@@johndank2209 It was probably patched before the paper and the CVE were announced. Package maintainers get early access to security fixes so they have ample time to prepare their backports. A backport is a fixed version with security patches applied retroactively. It's how most distros work. Since many packages are binaries, they can even advance patch most systems before the actual source code changes becomes available from the OG repository. It depends on the severity of the vulnerability, but package-managed systems can actually be fully patched up to a week before the CVE drops.
@@johndank2209 it was revealed as the patch is out
Yeah Ubuntu already patched it up on July 1st
openssh 1:9.6p1-3ubuntu13.3
CVE-2024-6387
Edit:
From the bug report itself
2024-05-19: We contacted OpenSSH's developers. Successive iterations of
patches and patch reviews followed.
2024-06-20: We contacted the distros@openwall.
2024-07-01: Coordinated Release Date.
@@johndank2209 it was an accidental regression, should be super easy to patch. Just revert the code that was never supposed to be there anyway
I use sssh. Safer ssh
there is no such thing as "safe"
ssssssshhhhhh
@@ACium. sshhhh, its "safer", not "safe"
Hahaha I see what you did here!
Don't google sssh đ€ŁStraight to PH
This has all my windows people at work scream LINUX VIRUS and im so exhausted of telling them it would take literal hours and using fail2ban is a dead simple mitigation any public server should have anyway. Ugh... That said, this explanation was really good! Reminds me of the late Tetris level shenanigans where VBlank interrupts cause almost the same situation - albeit of a different nature.
the regression has been fixed anyway already even my old ubuntu lts jammy pi home server already got a patch for it
Like OpenSSH is not present on Windows also...
Be sure to update your fail2ban sshd filter after installing openssh 9.8 ;)
This is also more exploitable as the paper mentioned on 32-bit CPUs... which in 2024, who is seriously even using 32-bit for anything, let alone a server on the Internet for anything productive? So, this is essentially a very minor issue in my eyes and shouldn't affect that many people or servers.
...i have heard whispers & jokes of "Linux" & "packet sniffing": But they're so busy laughing that I cannot understand what they're saying... Can you comment on this at all ?
very well explained. i love that the vulnerability is put under real word context and report is not just a scary click bait. if one has a cloud server e.g. amazon, they should limit their client IP address for that ssh port.
Is that the recommended method? I also always thought It would be risky to use an ssh server outside my home network. But don't know what to do instead. What if there is a coffee shop with the same provider and open wifi nearby. Wouldn't they also have the same IP? Of course it would still be a lot harder to hack the server than.
@@leokappler2282 , your ISP typically assigns an unique but non-permanent address for each location. so your server would see different ip address at your coffee shop vs your home address unless you tunnel through your home address.
Great job explaining this vulnerability. But I think you got the LoginGraceTime part wrong. According to sshd_config's man page: "The server disconnects after this time if the user has not successfully logged in. If the value is 0, there is no time limit." - Which could result in a DoS if the maximum unauthorized connections are exhausted.
That's exactly what the paper points out. (10:58)
Oh boy, the rewrite in rust gang is coming!
OH LAWD! HE COMIN!
Is Rust also Thread Safe?!
@@gavabundo_0072thatâs like half the whole point
@@gavabundo_0072 This vulnerability is about signal safety - that is a whole other level of safety that Rust does not provide. When the signal handler is invoked in this exploit, the heap is corrupt. If you do anything with the heap at that point, you are bound to have something exploitable and a signal handler is Rust CAN interact with the heap.
we gonna be ruSHing
That's it, you're going into the Rust rewriter
Finally! I don't have to worry about forgetting my password anymore.
10:51 It does not close it immediately but rather does not close it at all. That's why as researchers mention it make you vulnerable to dos attacks as attacker does not have time limit for spawning too many waiting logins
Which could easily be a bigger problem than a vulnerability with no known exploit.
Just wanna say I love your vids man , high prod quality and clear description of the issue.
Interesting video & well explained. I'll be coming back to this channel for more content like this, good stuff! đ
Please add sections to your video! đ
Especially for experts, it is nice to skip stuff like explanations what SSH is.
@@ForcefighterX2 +10000000
What an excellent explanation, you are a great teacher.
Subscribed!
The fact that it was a known bug _reintroduced_ into glibc makes it scary to me.
welcome to the world of C and C++
@@cherubin7th Been there since 2002, but thanks.
It is not by mistake. GNU is compromised and so is glibc. Keep in mind it is called "exploit" or "bug" when you cannot prove malicious intent. When intent is proven it is suddenly a backdoor. But how easy do you think it is to prove intent when code obfuscation is done and the project is bloated? GNU ls is over 2000 LoC, while FreeBSD ls is around 1200, and openBSD ls is around 600 LoC.
Where would an obfuscated backdoor be easier to hide?
@@Mario1vsSonic1 It's not a hard sell, frankly. I doubt anyone seriously doubts the will that exists to have control over... _everything._
Great video and breakdown!
@0:27 "...not that scary"
Title: ABSOLUTELY WILD !!!!
đđ
great point! đ€Ł
Think of a giraffe. Wild? Wild. Scary? Not so much.
This is how we all live now
@@szelest88 Yeah, what they pulled off is insane and I now have much more respect for that company. I may actually attend their next webcast.
@@szelest88 *a wild exploit has appeared*
đ
Great content! Thank you!
Great stuff. Thanks ever so much LLL!
Your explaination for laypersons is very very good. I'm not a programmer or security expert by any means, but found it was easy to comprehend thanks to your summary
Great video and explanation
This is a really high quality and useful video for me. It makes me look smart to my bosses. Thank you :)
Crazy exploit! Thanks for making me aware to this
the last time I was this early the queen was still alive
The Queen is still alive though? đ€
I'll be embarrassed if I check the news and see that Camilla has died...
@@MenaceInc The Queen that actually mattered, not the current one
@@mochafennec Victoria? Zenobia? Cleopatra? Freddie Mercury?
I think one of the best things you can do to secure your own Internet-connected server is to set up a system where you touch a specific port in a specific way to open up another port forward for the actual service. Without the initial poke at the ports, the server is never exposed to the Internet directly.
I believe this is known as "port knocking".
This is just security through obscurity.
I wanted to touch on something you noted late in the video, regarding recommending not exposing SSH on the internet, which invites the question of what do you suggest instead? You can do a lot to try and isolate management networks/etc, but ultimately you need a legitimate way in. Your argument that 'code can have bugs' applies to pretty much anything, we've seen various firewall vendor and VPN bugs in the past, so they're not different. How would you handle remote access?
unfortunately imo the only other way is IP address whitelisting. it's not pretty but it significantly reduces the attack surface
@@LowLevelLearning I can agree with you on that. Sometimes that presents a practicality problem, but it does significantly improve the posture when possible. And then in the case of this particular bug, something like fail2ban would probably go a long way in mitigation (though not closing off the bug entirely), given the large number of tries required. Thanks as always for the great content!
@@NigelVH One low-tech way to reduce risk is to require a port knock or similar. It's primitive, but still sufficient to stop most attacks.
Run SSH on a non-standard port, use fail2ban, or limit what IP blocks you allow to access (if you're in the US, do you need to allow access from other continents?).
For big organizations that have their own IPv4 blocks they got from a RIR it's super easy, you just only allow from your own IP blocks and reject everything else
I think he was referring to don't connect it to the internet while using the vulnerable version, not don't use SSH for its intended purpose ever. If that's what he did mean, then there's a couple of things you can do like whitelisting only specific IPs, or port knocking, but these only reduce the attack surface not make it safe. IMO its worth the risk if you take proper cautions like, IP address whitelisting, but not using a tool just because there's a possibility it could be vulnerable is dumb.
Was waiting for this vid
Great coverage on the subject when everyone else is screaming everything could be on fire. Seriously though big points to reviewing the mitigations and explaining the exploit in a easy to consume video!
So if i understand correctly, the exploiter injects the required function pointers for shell root onto to the compromised heap via the certificates being sent?
Love your content.
I sent a similar video to someone at my office. He's like: updating the libraries now. We then talked about the importance of testing known weak points in code (since it was a regression). Gotta keep an eye on known previous points of failure.
Reminds me of one of the exploits in the chain for Eternal Blue.
I swear every time I get a notification from low level learning it's some scary vulnerability that may affect one of my systems
thanks for the great explanation.
How well can that 4-6 hours be parallelized? If an attacker can work on thousands+ of targets simultaneously then it still seems pretty bad
You need a pretty stable connection for race conditions. So, working on thousands of targets would be extremely expensive.
@@somebodystealsmyname Establishing SSH connections costs very little bandwidth. Depending on the exact timing, AWS may not be enough. But a small host with good connectivity to your target ranges, which can be established with a BGP looking glass, and many of these have very limited to no KYC -- those are great for these attacks
already covered in the video. OpenSSH throttles new connections to... 100 in a second? which is why it takes 3-4 hours based on how quickly it allows connections to come in.
Great vid!
Can you imagine any legacy devices common on local networks that use the vulnerable ssh? Perhaps even those not owned by the user
That seems like an art piece or concept work... A meandering of what's possible, might not be practical but possible and clever none the less.
It's amazing, the blogger is really creative and worth watching
Noob question, is LibC needed for system runtime, or is it an optional component used for compiling and so on?
kind of video you wanna see right after starting openSSH
frfr just setup my vps yesterday for a minecraft ds-lite nat proxy tunnel and well haha sudo apt update sudo reboot
Same! I learnt more about `ssh` and `tmux` JUST YESTERDAY and now I get to watch this!
...
Thank you, Ed. At least I know how to keep my `ssh` connections more secure _nauw!..._
Basically while the OpenSSH "regreSSHion" vulnerability sounds concerning, it's not a major threat. Exploitation is complex and requires hours of attempts under specific conditions, making widespread attacks unlikely. Many systems already have mitigations like brute-force detection in place, and the scope is limited to certain OpenSSH versions. Patch your systems
...no need to panic.
A phrase to parallel JerryRigEverything: âCode is code, and code breaksâ
@@callumbirks I have written unbreakable code
observe
int main() {
return 0;
}
What a champ and good explainer.
I mean yeah you're right, this isn't the kind of exploit to some random individual is going to use to hack into a bunch of servers. But for extremely sophisticated, targeted attacks, stuff like this can be and is exploited.
This is literally the meaning of "grace" and since it was implement it has always been known to be a potential vulnerability.
This sounds like an early implementation of a TAS speed run with a wrong warp. It sounds impossible to execute but determined people can make these issues exploitable at a momentâs notice.
Yuffie mentioned.
I rarely had to do signal handlers but the first thing I do is making sure no mallocs are reachable.
5:05 maybe Iâm just out of it but has anyone else had the thought âMalloc Baldwinâ randomly before?
Internet, please say Iâm not alone in this đ
So simplest way to protect is set LoginGraceTime = 0 and all even old versions sould be "safe". Is this exploit only for x86 arch? does arm32 also affected? Thinking about rasberry pi platform connected to web.
afaik it was only hours on 32bit software? I wasn't super paying attention so maybe you covered that bit, but the other sources I was looking into this with said on 64bit systems it would take days or longer.
I'm curious, if you have a fully up to date gateway, or an OpenSSH server behind another protocol like a VPN, are older systems that can't be updated for some reason no longer vulnerable? Because they're not accessible from the internet someone would need to break into the patched system first, right? (I never trust myself even when I think I know something)
yo, i'm no code guy but enjoy stuff like this from u, primeagen, dave's garage n the likes, i appreciate the logic n informative value u guys bring
For critical projects like this (at the very least), there should be a process built into the commit procedure that checks for various types of vulnerabilities, and especially for specific vulnerabilities that were previously found and patched.
Next major version, rewritten OpenSSH with Rust.
Would you be able to do a video explaining ASLR? I understand the basic concept, but don't understand how it doesn't cause code to break.
Setting LoginGraceTime to zero does not log you out after 1 failed attempt. It appears to remove a login time limit completely. While it's good to always be using the latest releases, if you are set up to disconnect after three failed attempts, is this problem moot, since timing is not involved?
How would i setup my server if i wont expose ssh and still want to access it.
Use vpn to connect to network? Only allow certain ips?
@LowLevelLearning Have they completed the 64bit PoC yet? Last I saw they still only had only successfully exploit in 32-bit. However, they were working on a 64-bit version
Thx for ur efforts to do this video, one simple question, wouldnât be awesome if the developers of OpenSSH project rewrite most of their base code using Rust language! Due to enormous hype about it, in which of its core features eliminating race conditions and other memory faulty stuff?!
"Would rust have fixed this bug?"
Yes. You can screw up with signals in Rust, but you kind of have to try.
I donât think so. A signal handler in Rust can interact with the heap which will expose you to similar issues. At the time the signal handler is invoked, the heap is in a corrupt state. There is surely a way to exploit that, even if it isnât exactly the same bug.
@@deanjohnson8233 signals would typically be handed by Tokio or some other crate like signal_hook. These would avoid mistakes like interacting with the heap inside a signal handler. Rolling your signal handling in Rust would count as trying to be insecure to me.
ââ@@deanjohnson8233Hol' up.
The paper mentions "if any one of these 24 free() calls is interrupted..." and "hence free(), which is not async-signal-safe". Generally in rust, whether you're in async or sync code, the compiler makes sure all the memory is deallocated once an item goes out of scope. This stands true even if the thread panics.
On top of that, you also have the type system that prevents you from using and sending non async-safe types (including functions) across multiple threads. I'm pretty sure there are still ways to screw up, but rust would make it very hard to do in the first place.
@@SanguinariusUmbra yeah but the lower levels arent made in rust. So rust is dead in the water.
that sounds a lot like the kind of attacks that first kinds of hacks found on consoles to bypass protection
Finally! I found someone that also pronounces it as 'daymon' instead of 'deamon'! A.k.a. the correct way!!!!!
so.. rustdesk x wireguard is more secure? didnt once see the point of remote control that is command line only
all my ssh endpoints are only accessible on the assigned wireguard interface.
How do you login to a remote live server if ssh is not exposed?
You're connected via VPN and only from that internal virtual IP adress you can access the ssh (because you share the same vlan). So you can close ssh on the servers firewall. And only allow certs no passwords.
oh yeah, be sure to be up to date for all the security fixes
"Accidentally"
I remember when i first started logging into my servers i just used to close the terminal to close the connection to the ssh server now i exit through exit command
Thanks.
I still remember the first time I had a server open to the internet the only reason I didn't get hacked is because the logs from their attack filled my 40gb drive and crashed the system. Something like this would have been very bad.
I love how a serious RCE gets resurfaced because "oops I [un]commented the wrong #ifdef" AKA how often does stuff like this make it into open code bases because no one notices? Who knows if this oops was intentional or not.
Not worried about it myself but after hearing you need multiple connections would fail2ban not also fix the issue?
Kind of. It does jail, but only short term from what Iâve seen. And even then it needs to be tuned since it can miss things. Itâs possible for someone to attack all day up to the 60âs and not get stopped. Iâm sure someone has better info on the subject but thatâs what Iâve seen.
ĐĐČŃĐŸŃ ĐČĐžĐŽĐŸŃĐ° ŃĐ°ŃŃĐșĐ°Đ·Đ°Đ» ĐżŃĐŸ ĐŸŃлОŃĐœŃŃ ŃĐČŃĐ·ĐșŃ, ĐŽĐ°ĐČĐœĐŸ ĐœĐ° ĐČĐ°Ń ĐżĐŸĐŽĐżĐžŃĐ°Đœ ĐČ ŃĐł!
I have a live trail of my fail2ban audit log on a monitor of my little 1$ VPS and boy I think I have witnessed attemps to use this since the log is exploding from 1 sec to another only from connects and disconects (no jails since they dont try logging in).
But if this really boils down to signal + malloc, isn't a lot of software besides OpenSSH affected? And does this mean that signals are useless for everything except maybe doing some cleanup and logging before shutting the process down?
I really hope I misunderstood something.
The authors of the paper quoted song lyrics by a band called The Interrupters in each chapter.
how can this code run as root if ssh privilege separation is enabled by default?
timing here is interesting. would an attack perhaps be exploitable faster with less network latency deviation (e.g. intra-datacenter exploits) i would presume attack could be performed much faster if you knew additional information about where in the cloud your victim is hosted and network link speeds are much more predictable.
The 10000 tries the researchers got were under lab conditions. So it will mostlikely be longer in real world conditions.
Think the research group the lowest latency they were attempting at was 10ms or something crazy low like that.
Everything else aside, I'm really happy the paper starts by quoting The Interrupters.
I think youâre the only youtuber who covers this with proper manner instead of reading some news outlet who wrote no background of programming
The way you say qualys as "qualles" 0:12 đ”âđ«
Every time when i see exploit like this i wonder, maybe it is not feasible for remote access, but could be used for privileges escalation for local users and rooting phones, consoles etc.
Have you ever made a video on the Intel Management Engine? My professor in my OS class mentioned that every Intel chip has its own OS that is based on Minix3. I've read people call it "ring -3", and so Intel basically has a root kit on every Intel PC. I would be interested to hear your thoughts on this
2:55 yeah that article is thicc!
who the hell are runnings 32bit server applications in the current year
more common than you think
probably a lot of low power embedded computers like routers and what not, many that no longer get updated
Raspberrys maybe but they should not be connected directly to the internet anyway.
C has been here.
How can you tell?
Memory management based vulnerability.
"keep SSH off the internet" significantly dings the usefulness of SSH though. people will continue to use SSH as their primary method for accessing VPS instances for the forseeable I think
You just need to use a IP whitelist or a VPN
I am a little bit perplexed.
Firstly, removing openssh from the Internet may be an option for some, but many hosting providers actually allow clients to use ssh to update their files on the host. For them to remove ssh from the Internet would mean that clients have lost the ability to upload files to their host (or at least have lost that path by which they can upload).
Secondly, if this problem is in malloc(), the I would think that potentially it has far wider issues than merely OpenSSH, malloc() is a core part of memory management on most systems (even if it is behind the scenes), and it would seem very probable that there are other pieces of software out there that allow signal interrupts while using malloc().
Use sshv2 straight up instead of using unsecure free replacement programs.
On top of that, dont allow direct internet access to the ssh port of those servers. You could easily implement a vpn that could provide access to whatever management is needed securely
@@lillones none of these alternatives are guaranteed to be any safer than OpenSSH.
If the problem is the way malloc() interacts with signals then there is no reason to be so certain that a VPN would not have the same issue. All that a closed source alternative to OpenSSH would give you is the bliss of ignorance - you same problems might be there but it would take a lot longer to find them.
The vpn would allow you to send requests for ssh internally on the intranet rather than the open internet. It would block any rando from being able to even attempt to initiate a session to take advantage of the vulnerability
@@lillones yes, but the VPN itself is using an encrypted tunnel just as SSH does.
@@Hfil66 yes... and water is also wet, but that has nothing to do with my point
if you take SSH off the internet how do you manage your server?
@@DeveloperChris well is a vpn technically the internet? đ
@@tau4333 And you don't think VPN's have security flaws? The only way to be safe on the internet is to not be on the internet.
Simply update ssh daemon and be done with it. it is just as safe when patched as any VPN. Also saying you should disable ALL SSH for a flaw that is technically very difficult actually use is overkill to the extreme. There are easier ways to hack a machine.
cool video thx
Would this affect ARM too?
and this is exactly why i never expose ssh to the internet, but rather behind a preconfigured wireguard intranet.