Introduction
Recently, I faced two critical OpenSSH vulnerabilities—CVE-2025-26465 and CVE-2025-26466—which posed serious security threats, including Man-in-the-Middle (MitM) and Denial-of-Service (DoS) attacks. If left unpatched, these vulnerabilities could allow attackers to intercept SSH connections or crash SSH services.
In this blog post, I’ll walk you through my experience detecting and fixing these vulnerabilities, along with a step-by-step guide to securing your system.
How I Discovered the Vulnerability
I first learned about these vulnerabilities through a security advisory. Since I frequently manage Linux servers, I wanted to check if my system was vulnerable and take immediate action.
1. Checking OpenSSH Version
I ran the following command to determine my OpenSSH version:
ssh -VOutput:
OpenSSH_9.x, OpenSSL 1.1.1If you see an outdated version (e.g., anything before the latest patched release), your system is likely vulnerable.
2. Checking SSH Client Configuration for VerifyHostKeyDNS
Since one of the vulnerabilities was related to the VerifyHostKeyDNS setting, I inspected my SSH client configuration file:
sudo nano /etc/ssh/ssh_configHowever, I couldn’t find VerifyHostKeyDNS explicitly set. To confirm its status, I ran:
ssh -G example.com | grep verifyhostkeydnsOutput:
verifyhostkeydns yesThis meant my system was at risk of a MitM attack.
How I Fixed the OpenSSH Vulnerabilities
1. Disabling VerifyHostKeyDNS to Prevent MitM Attacks
To mitigate CVE-2025-26465, I added the following line in the SSH client configuration:
sudo nano /etc/ssh/ssh_configAdded:
VerifyHostKeyDNS noThen, I saved the file and verified the change:
ssh -G example.com | grep verifyhostkeydnsExpected output:
verifyhostkeydns no2. Updating OpenSSH to Patch CVE-2025-26466
To protect against DoS attacks, I updated OpenSSH to the latest secure version:
sudo apt update && sudo apt upgrade openssh-server -yFor RHEL/CentOS:
sudo dnf update openssh-server -yAfter updating, I restarted the SSH service:
sudo systemctl restart sshThen, I rechecked my OpenSSH version:
ssh -VThis confirmed that I was now running the patched version.
Additional Security Enhancements I Implemented
1. Enforcing Strong SSH Authentication
To further secure my SSH setup, I ensured only key-based authentication was allowed:
sudo nano /etc/ssh/sshd_configSet:
PasswordAuthentication noPermitRootLogin no
Then restarted SSH:
sudo systemctl restart ssh2. Limiting Authentication Attempts and Concurrent Connections
To prevent brute-force attacks, I configured the following settings in my SSH server configuration:
sudo nano /etc/ssh/sshd_configAdded:
MaxAuthTries 3MaxStartups 10:30:60
MaxAuthTries 3: Limits the number of failed authentication attempts to 3.MaxStartups 10:30:60: Controls the rate of unauthenticated SSH connections, reducing the risk of DoS attacks.
Then, I restarted SSH:
sudo systemctl restart ssh3. Configuring a Firewall to Restrict SSH Access
To limit SSH access, I allowed only specific IPs:
sudo ufw allow from MY_TRUSTED_IP to any port 22Then enabled the firewall:
sudo ufw enable4. Checking SSH Logs for Unauthorized Attempts
I monitored SSH login attempts using:
sudo journalctl -u ssh --since "1 day ago"This helped me detect any suspicious login attempts.
Final Security Checks
To ensure my SSH configuration was secure, I:
- Checked active SSH settings:
sudo sshd -T | grep hostkey - Scanned my server for open SSH vulnerabilities:
sudo nmap --script sshv1,ssh2-enum-algos -p 22 myserver.com
Conclusion
By identifying and patching OpenSSH vulnerabilities CVE-2025-26465 and CVE-2025-26466, I successfully mitigated security risks on my system. Additionally, I reinforced SSH security by disabling password authentication, limiting authentication attempts, restricting SSH access via firewall, and regularly monitoring logs.
If you manage Linux servers, I highly recommend checking your OpenSSH version and configuration to prevent potential attacks.
Stay secure, keep your system updated, and regularly review your configurations!
If this guide helped you, share it with your team to ensure a safer SSH environment.