Exam CAS-004 topic 1 question 20 discussion

The log picture is missing, so we can not discuss a solution.

To address the potential risks posed by the activity in the logs, the BEST action would be to restrict external port 22 access. This would prevent unauthorized access attempts from external sources and limit the potential for further security incidents.

The correct answer is C. Restricting external port 22 access. Explanation: A public SSH jump server inherently faces risk when its SSH service (using port 22) is exposed to the internet. In this scenario, the unusual activity recorded in /var/log/auth.log indicates that adversaries could be attempting brute force or credential-stuffing attacks. By restricting external (Internet) access to port 22, you limit the attack surface and ensure that only connections from specific, trusted sources can reach the server. This control is one of the best practices to defend against unauthorized or suspicious access attempts, as it directly mitigates the potential vector of attack.

Why C. Restricting external port 22 access is BEST: It directly limits who can connect to SSH from outside, reducing the chance of brute-force, unauthorized access, or exploitation. Can be implemented using: Firewall rules (e.g., allow only specific IPs/ranges) Port knocking or VPN-only access Changing to a non-standard port (not secure by itself, but lowers noise)

B. Modifying the AllowUsers configuration directive The AllowUsers directive in the SSH configuration is used to restrict which users are allowed to log in via SSH. Modifying this configuration could effectively limit access to only trusted users, reducing the potential attack surface. This would be an effective response if the attack was related to unauthorized users attempting SSH access. While C. Restricting access to port 22 (the default SSH port) from external sources can reduce the risk of unauthorized access attempts, especially brute-force attacks, from the internet. However, if the jump server is still required to be publicly accessible for authorized users, this could cause legitimate access issues. A more targeted approach might be needed.

Where is the log picture at. Other Test banks I saw had B for the correct answer.

Modifying the AllowUsers configuration directive ✅ Strongest answer! This allows only specific, authorized users to connect via SSH. Prevents attackers from brute-forcing or exploiting weak accounts. Example: In /etc/ssh/sshd_config, setting Breaking Down the Scenario: The SIEM detects unusual activity on an authorized public SSH jump server. Logs from /var/log/auth.log indicate potential SSH misuse or compromise. The BEST action is to mitigate risk while maintaining necessary access.

I would go with B, As going with C will eliminate the purpose of a SSH server. Someone said Chat GPT says C, You can cross question above the above with GPT and it will change its answer and go with B.

This question doesnt have a picture. Suggested answer is B. Modifying the AllowUsers configuration directive Explanation: Modifying the AllowUsers configuration in the SSH server's configuration file allows you to specify which users are permitted to log in via SSH. This can restrict access to only specific, authorized accounts, thereby reducing the risk of unauthorized access. Given unusual activity on the SSH jump server, tightening access to only essential users would help mitigate potential threats. Why Other Options Are Less Suitable: A. Alerting the misconfigured service account password: This option would address a specific misconfiguration but is not directly related to controlling SSH access based on the logs. C. Restricting external port 22 access: While restricting port 22 may help, it could also disrupt legitimate access. Modifying AllowUsers provides more granular control without completely blocking SSH access. D. Implementing host-key preferences: This can help ensure secure connections but does not address unusual activity related to user access permissions.

Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)

Answer: B. Modifying the AllowUsers configuration directive Explanation: The AllowUsers configuration directive in SSH is used to limit the users who can log in to the server. If the logs show unusual activity, it could mean that unauthorized users are attempting to or have gained access to the server. By modifying the AllowUsers configuration, the security analyst can restrict access to only those users who are authorized, thereby reducing the risk of unauthorized access. Option A, altering the misconfigured service account password, might not be the best solution if the issue is not related to a specific service account. Option C, restricting external port 22 access, could potentially disrupt legitimate users who need to access the server. Option D, implementing host-key preferences, is more about ensuring the identity of the server to the client, not about controlling who can access the server.

Pic is missing.