OpenSSH is a critical component for managing remote servers securely. Recently, vulnerabilities CVE-2025-26465 and CVE-2025-26466 were discovered in older OpenSSH versions, making it essential to upgrade to version 9.9p2. However, modifying SSH on a live production server can be risky.
In this guide, we will:
Explain pre-update precautions to ensure a smooth upgrade.
Provide a step-by-step method to upgrade OpenSSH 9.9p2 on an AWS instance.
Show how to use AWS Systems Manager (SSM) to access your server without SSH.
Upgrading OpenSSH is crucial for:
Security Fixes: Protect against newly discovered vulnerabilities.
Improved Performance: Newer versions include performance enhancements and bug fixes.
Compliance: Organizations following security frameworks (e.g., CIS, NIST) must maintain up-to-date software.
Since modifying SSH can lock you out of your server, follow these steps carefully.
SSM (AWS Systems Manager) allows remote access to instances without SSH. Install and configure it first.
sudo apt install awscli -y
sudo dpkg -i session-manager-plugin.deb
Your EC2 instance needs the AmazonSSMManagedInstanceCore policy to work with SSM.
Navigate to the AWS IAM Console.
Create or modify an IAM Role with the AmazonSSMManagedInstanceCore policy.
Attach this IAM role to your EC2 instance.
Check if the AWS Systems Manager Agent (SSM Agent) is running:
sudo systemctl status amazon-ssm-agent
amazon-ssm-agent --version
If the agent is not installed, install it using the following:
sudo snap install amazon-ssm-agent
sudo snap restart amazon-ssm-agent
If SSH fails after the upgrade, use AWS SSM to access the server:
aws ssm start-session --target i-xxxxxxxxxxxxxxxxx --profile lalatendu-own-aws-profile (Please note if you have multiple aws profile then you need to mention profile name)
No Need to Open Port 22 → More secure since no inbound SSH access is required.
Works on Private Instances → You can access EC2 instances in private subnets.
IAM-Based Access Control → Permissions are managed via IAM roles instead of SSH keys.
Once you've set up an alternative access method, proceed with the OpenSSH upgrade.
ssh -V
If it is below 9.9p2, continue with the upgrade.
cd /usr/local/src
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.9p2.tar.gz
tar -xvzf openssh-9.9p2.tar.gz
cd openssh-9.9p2
sudo apt update && sudo apt install -y build-essential zlib1g-dev libssl-dev libpam0g-dev libselinux1-dev
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam
make -j$(nproc)
sudo make install
ssh -V
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
sudo systemctl restart ssh
PerSourcePenalties is an OpenSSH daemon (sshd) configuration option that applies penalties to sources (IP addresses) exhibiting abusive behavior. When enabled, OpenSSH delays response times for repeated failed authentication attempts from the same source, making brute-force attacks significantly less effective.
Mitigates Brute-Force Attacks: Increases response time for repeated failures, slowing down automated login attempts.
Reduces Server Load: Prevents excessive authentication requests from overwhelming system resources.
Enhances Security Without External Tools: Unlike fail2ban or firewall rules, this feature is built directly into OpenSSH, reducing dependency on external software.
Ensure that your system is running OpenSSH 9.9p1 or later:
ssh -V
Expected output:
OpenSSH_9.9p2, OpenSSL x.y.z
If your version is older, you will need to upgrade OpenSSH.
Edit the SSH daemon configuration file:
sudo nano /etc/ssh/sshd_config
Add or modify the following line:
PerSourcePenalties yes
For changes to take effect, restart the SSH daemon:
sudo systemctl restart ssh
Run the following command:
sshd -T | grep persourcepenalties
Expected output:
persourcepenalties yes
When enabled, OpenSSH will gradually introduce delays for authentication attempts originating from the same IP address if they continuously fail. Instead of immediately blocking the IP, OpenSSH will make successive attempts take longer to process, making brute-force attacks inefficient.
PerSourcePenalties Does Not Block IPs: Unlike fail2ban, which blocks abusive IPs, this feature only introduces delays.
May Impact Legitimate Users: If users frequently mistype passwords, they may experience noticeable login delays.
Combine With Other Security Measures: Using PerSourcePenalties alongside SSH key authentication, fail2ban, or firewall rules further strengthens security.
Run ssh -V to verify the new version.
Try reconnecting via SSH.
If SSH fails, use aws ssm start-session to troubleshoot and revert to the backup config (/etc/ssh/sshd_config.bak).
Upgrading OpenSSH on AWS is crucial for security but should be approached with caution. Implementing AWS Systems Manager (SSM) ensures access to your instance even if SSH fails, preventing potential lockouts. Always test upgrades on a non-production environment before applying them to critical systems.
Additionally, the PerSourcePenalties feature in OpenSSH 9.9+ enhances security by slowing down repeated failed login attempts, effectively mitigating brute-force attacks. As a built-in solution, it strengthens SSH access without relying on external tools. For system administrators and organizations aiming to secure remote access, enabling this feature is a simple yet effective step toward improving security.
What is PerSourcePenalties in OpenSSH?
How to enable PerSourcePenalties in OpenSSH?
Does PerSourcePenalties block brute-force attacks?
How to secure SSH without using fail2ban?
OpenSSH 9.9 security improvements and features.
How to upgrade OpenSSH 9.9p2 on AWS?
How to fix OpenSSH vulnerabilities CVE-2025-26465 & CVE-2025-26466?
How to enable AWS SSM for remote access?
Best practices for upgrading OpenSSH in production?
How to use AWS Systems Manager instead of SSH?
Top SEO Keyword-Related Hashtags
#AWS #OpenSSH #CyberSecurity #DevOps #Linux #AWS_SSM #CloudSecurity #SSH #SystemAdministration #AWSCLI #EC2 #ServerManagement #SSM#OpenSSH #CyberSecurity #SSH #BruteForceProtection #LinuxSecurity #SystemAdministration #DevSecOps #SSHSecurity #PerSourcePenalties #CloudSecurity#CVE-2025-26465 #CVE-2025-26466