Configuring SSH on Amazon Linux AWS EC2 Instances to Protect Against the Terrapin Attack | by Teri Radichel | Cloud Security | January 2024


OpenSSH patch — AND — Prohibit insecure connections by removing them from your configuration

A recent vulnerability in SSH means that many servers that allow users to connect using certain encryption algorithms are vulnerable to attack.


Edit this file:
sudo vi /etc/crypto-policies/back-ends/opensshserver.config

If you want to know how I figured that out, read on.

By the way, two vulnerabilities were recently announced in SSH. There is a separate SSH issue that I covered in this article that concerns the keys you use to authenticate to SSH:

I may also provide an update for the above later.

About the Terrapin Attack

I first read about the Terrapin attack here:

And notice that many people still haven’t updated their configuration to protect against this attack:

How it works?

Here’s what’s happening at a high level. A person wants to connect with SSH and therefore runs a command to connect to the server.

The client machine and the server machine perform what is called a “handshake” to determine which encryption algorithms can be used to encrypt communications between the two hosts.

Leave a comment