How to Safely Upgrade OpenSSH 9.9p2 on AWS: A Step-by-Step Guide #PerSourcePenalties #CVE-2025-26465 & CVE-2025-26466

OpenSSH is a critical component for managing remote servers securely. Recently, vulnerabilities CVE-2025-26465 and CVE-2025-26466 were discovered in older OpenSSH versions, making it essential to upgrade to version 9.9p2. However, modifying SSH on a live production server can be risky.

In this guide, we will:

• Explain pre-update precautions to ensure a smooth upgrade.

• Provide a step-by-step method to upgrade OpenSSH 9.9p2 on an AWS instance.

• Show how to use AWS Systems Manager (SSM) to access your server without SSH.

Why Upgrade OpenSSH in a Production Environment?

Upgrading OpenSSH is crucial for:

• Security Fixes: Protect against newly discovered vulnerabilities.

• Improved Performance: Newer versions include performance enhancements and bug fixes.

• Compliance: Organizations following security frameworks (e.g., CIS, NIST) must maintain up-to-date software.

Pre-Update Precautions (Before Making SSH Changes)

Since modifying SSH can lock you out of your server, follow these steps carefully.

Step 1: Install AWS CLI and Session Manager Plugin on Your Local System

SSM (AWS Systems Manager) allows remote access to instances without SSH. Install and configure it first.

sudo apt install awscli -y

curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ubuntu_64bit/session-manager-plugin.deb" -o "session-manager-plugin.deb"

sudo dpkg -i session-manager-plugin.deb

Step 2: Attach the Correct IAM Role to Your Instance

Your EC2 instance needs the AmazonSSMManagedInstanceCore policy to work with SSM.

1. Navigate to the AWS IAM Console.

2. Create or modify an IAM Role with the AmazonSSMManagedInstanceCore policy.

3. Attach this IAM role to your EC2 instance.

Step 3: Verify if the SSM Agent is Installed

Check if the AWS Systems Manager Agent (SSM Agent) is running:

sudo systemctl status amazon-ssm-agent

amazon-ssm-agent --version

If the agent is not installed, install it using the following:

sudo snap install amazon-ssm-agent

sudo snap restart amazon-ssm-agent

Step 4: Connect to Your Instance Using SSM (Instead of SSH)

If SSH fails after the upgrade, use AWS SSM to access the server:

aws ssm start-session --target i-xxxxxxxxxxxxxxxxx --profile lalatendu-own-aws-profile (Please note if you have multiple aws profile then you need to mention profile name)

Why Use AWS SSM Instead of SSH?

• No Need to Open Port 22 → More secure since no inbound SSH access is required.

• Works on Private Instances → You can access EC2 instances in private subnets.

• IAM-Based Access Control → Permissions are managed via IAM roles instead of SSH keys.

How to Upgrade OpenSSH to 9.9p2 on AWS

Once you've set up an alternative access method, proceed with the OpenSSH upgrade.

Step 1: Check Current OpenSSH Version

ssh -V

If it is below 9.9p2, continue with the upgrade.

Step 2: Download and Compile OpenSSH 9.9p2 from Source

cd /usr/local/src

wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.9p2.tar.gz

tar -xvzf openssh-9.9p2.tar.gz

cd openssh-9.9p2

Step 3: Install Required Dependencies

sudo apt update && sudo apt install -y build-essential zlib1g-dev libssl-dev libpam0g-dev libselinux1-dev

Step 4: Configure and Install OpenSSH

./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam

make -j$(nproc)

sudo make install

ssh -V

Step 5: Backup Existing SSH Configuration and Restart SSH

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

sudo systemctl restart ssh

What is PerSourcePenalties?

PerSourcePenalties is an OpenSSH daemon (sshd) configuration option that applies penalties to sources (IP addresses) exhibiting abusive behavior. When enabled, OpenSSH delays response times for repeated failed authentication attempts from the same source, making brute-force attacks significantly less effective.

Why is PerSourcePenalties Important?

• Mitigates Brute-Force Attacks: Increases response time for repeated failures, slowing down automated login attempts.

• Reduces Server Load: Prevents excessive authentication requests from overwhelming system resources.

• Enhances Security Without External Tools: Unlike fail2ban or firewall rules, this feature is built directly into OpenSSH, reducing dependency on external software.

How to Enable PerSourcePenalties in OpenSSH 9.9+

Step 1: Verify OpenSSH Version

Ensure that your system is running OpenSSH 9.9p1 or later:

ssh -V

Expected output:

OpenSSH_9.9p2, OpenSSL x.y.z

If your version is older, you will need to upgrade OpenSSH.

Step 2: Enable PerSourcePenalties

Edit the SSH daemon configuration file:

sudo nano /etc/ssh/sshd_config

Add or modify the following line:

PerSourcePenalties yes

Step 3: Restart the SSH Service

For changes to take effect, restart the SSH daemon:

sudo systemctl restart ssh

Step 4: Verify That PerSourcePenalties is Active

Run the following command:

sshd -T | grep persourcepenalties

Expected output:

persourcepenalties yes

How PerSourcePenalties Works

When enabled, OpenSSH will gradually introduce delays for authentication attempts originating from the same IP address if they continuously fail. Instead of immediately blocking the IP, OpenSSH will make successive attempts take longer to process, making brute-force attacks inefficient.

Considerations for Production Environments

• PerSourcePenalties Does Not Block IPs: Unlike fail2ban, which blocks abusive IPs, this feature only introduces delays.

• May Impact Legitimate Users: If users frequently mistype passwords, they may experience noticeable login delays.

• Combine With Other Security Measures: Using PerSourcePenalties alongside SSH key authentication, fail2ban, or firewall rules further strengthens security.

Final Testing and Verification

• Run ssh -V to verify the new version.

• Try reconnecting via SSH.

• If SSH fails, use aws ssm start-session to troubleshoot and revert to the backup config (/etc/ssh/sshd_config.bak).

Conclusion

Upgrading OpenSSH on AWS is crucial for security but should be approached with caution. Implementing AWS Systems Manager (SSM) ensures access to your instance even if SSH fails, preventing potential lockouts. Always test upgrades on a non-production environment before applying them to critical systems.

Additionally, the PerSourcePenalties feature in OpenSSH 9.9+ enhances security by slowing down repeated failed login attempts, effectively mitigating brute-force attacks. As a built-in solution, it strengthens SSH access without relying on external tools. For system administrators and organizations aiming to secure remote access, enabling this feature is a simple yet effective step toward improving security.