SSH version outdated - closing port enough?
“SSH version is outdated” is not necessarily a security problem. Their recommendation is to install the latest version, but there is no benefit in running the latest version unless you want the latest features. For security, what matters is that you have all the security fixes applied. Many distributions apply security fixes to the version they ship. For example, CentOS 6 still ships OpenSSH 5.3p1 and will be receiving security updates until 2020; CentOS 7, the current release, ships OpenSSH 6.6.1p1. Debian jessie ships OpenSSH 6.7p1 and will also be receiving security updates until 2020, while the latest release stretch ships OpenSSH7.4p1.
In general, you should not install packages outside your distribution for critical infrastructure components such as OpenSSH. If you do, make sure to subscribe to security bulletins and apply security updates as soon as possible. If you just install OpenSSH 7.5 now and forget about it later, you're significantly weakening your security.
If you get a report that only says “version is outdated” and doesn't even try to determine whether the proper security patches have been applied, it's a bad report.
Closing external SSH access on servers that don't need them is a good idea regardless. One machine where the security updates are falling behind, or one machine where a user's password or key have been compromised, could get the attacker into your network. It's often a good idea to limit external access to a single gateway machine (or a small set of machines for redundancy) where updates and account are more closely monitored. Closing the port in the firewall will mitigate the issue of direct access. Indirect access (where the attacker gets into the network on a machine that's doing nothing important, and uses that as a relay to get into more important machine) will still be a concern.
You can check SSH access by yourself by running ssh -v MACHINENAME
from outside. If MACHINENAME is running an SSH server and the firewall doesn't block you, you'll see a line like
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 Debian-5+deb8u3
That, as I write, is the current version on Debian jessie and is perfectly fine.
You can try to run nmap -sV IP -p 22 to check if the port is still open. Maybe it's an issue in the reporting? They keep reporting the version until they can validate that it has changed?
Closing the port will indeed mitigate issues in SSH. If SSH is still available on the internal network this might still be an issue if you can't trust the internal network. Should SSH be available on the machine? If not, disable it. If it should be available you should put this in a separate VLAN for administration.