A security analyst receives an alert from the SIEM regarding unusual activity on an authorized public SSH jump server.
To further investigate, the analyst pulls the event logs directly from /var/log/auth.log: graphic.ssh_auth_log.
Which of the following actions would BEST address the potential risks by the activity in the logs?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
https://www.rapid7.com/blog/post/2017/10/04/how-to-secure-ssh-server-using-port-knocking-on-ubuntu-linux/Based on the scenario, there is unusual activity on an authorized public SSH jump server. To address the potential risks, we need to analyze the event logs and take appropriate actions.
Option A: Alerting the misconfigured service account password This option does not address the issue at hand. A misconfigured service account password may lead to a different set of risks, but it does not address the unusual activity detected in the logs.
Option B: Modifying the AllowUsers configuration directive This option may be a valid approach to addressing the issue. By modifying the AllowUsers configuration directive, we can limit the number of users who have access to the server. However, this option does not provide a complete solution as it only limits the users who can access the server, but it does not prevent unauthorized access to the server.
Option C: Restricting external port 22 access This option may be a valid approach to addressing the issue. Restricting external port 22 access will limit the number of users who can access the SSH server from outside the network. This will prevent unauthorized access to the server and reduce the risk of a potential breach. However, this option may not be feasible if there are legitimate users who require external access to the SSH server.
Option D: Implementing host-key preferences This option may be a valid approach to addressing the issue. Implementing host-key preferences will ensure that the server only allows connections from authorized devices. This will prevent unauthorized access to the server and reduce the risk of a potential breach. However, this option may not be feasible if there are legitimate users who require access to the SSH server from different devices.
Based on the analysis, the BEST option to address the potential risks identified in the logs is Option C: Restricting external port 22 access. This option limits the number of users who can access the SSH server from outside the network, and it reduces the risk of a potential breach. However, this option may not be feasible if there are legitimate users who require external access to the SSH server. In this case, implementing host-key preferences may be a better option.