Securing SSH

Hello IT Admin, 

CUIT has contacted IT Leaders around campus about reducing our SSH ( exposure due to the increased activity of ransomware attacks. The CUIT Cybersecurity team is reaching out because you have been identified as a system administrator for your department. Our security monitoring has discovered machines under your ownership which has SSH open to the Internet. Attached is the list of hosts which require remediation. 

Leaving SSH vulnerable from the Internet puts the University at risk for potential ransomware attacks. CUIT is providing recommendations to restrict the SSH protocol to Columbia-owned networks only. Using the Windows built-in Firewall, an IP restriction should be implemented on Port 22. It is also recommended to review all inbound configuration rules to implement the most restrictive configuration as possible. 

We understand that SSH is the primary way some users remotely interact with their campus desktops and servers. In order to balance security and function, we are requesting that you enforce the use of VPN for SSH connections. This provides a level of security with Duo multifactor authentication and reduces our attack surface. Information and user guides on the VPN are available on the CUIT website.

If you need assistance on how to configure the Windows Firewall, the Microsoft support site has detailed instructions. 

Overview of Recommendation 

• Enable and configure the Windows firewall

• Restrict the SSH Port to only CU IP addresses, deny the rest

•  

  • Double-check your range restrictions before moving changes to production

• Use the VPN first, then SSH to continue management of desktops or servers

• Always test your configuration before implementing in production 

• If your department does not have an anti-malware deployment please review the Malwarebytes webpage, this is another proactive security measure to prevent ransomware

• Please direct any questions to cybersec@columbia.edu