Date: Mon, 17 Feb 2020 15:46:38 +0000 From: Earl A Ramirez <earlaramirez@gmail.com> To: Shamim Shahriar <shamim.shahriar@gmail.com> Cc: "freebsd-questions@FreeBSD.org" <freebsd-questions@freebsd.org> Subject: Re: disabling "weak" algorithms in sshd Message-ID: <CAP6-ctQ-vhYNzfFcEy_t-0e674P2xoFCjj8niQ7YFMcO0BgaDg@mail.gmail.com> In-Reply-To: <CAOyJeZTbbkpznciYMaCOWswrtDDbo9AGiBdw3i6tcaz__CjS%2BQ@mail.gmail.com> References: <CAOyJeZTbbkpznciYMaCOWswrtDDbo9AGiBdw3i6tcaz__CjS%2BQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 17 Feb 2020 at 15:09, Shamim Shahriar <shamim.shahriar@gmail.com> wrote: > Good afternoon all > > I had been googling for quite some time and so far came up empty, maybe > someone can shed some light or point me to the correct direction. > > I have introduced a bunch of servers into an infrastructure that previously > had zero FreeBSD system. They make use of Tenable Security Centre ( > tenable.com) which I believe used Nessus in the backend to identify > vulnerabilities. Amongst other things, it is picking up on (tenable/nessus > plugin ID 90317) "SSH Weak Algorithms Supported) because the server allows > "none" algorithms. > > Is there any way to "select" or "selectively disable" algorithms and hashes > from sshd? According to various web sources, certain implementation on > certain distributions might have options to amend the list, but none of the > examples I have found worked on my FreeBSD system. > > Would appreciate if someone could please point me to the correct direction. > > I have been using the following lines to get mitigate Nessus findings in the sshd_config # Permit supported Ciphers, MAC and Algorithms Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com, aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256 -- Kind Regards Earl Ramirez
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAP6-ctQ-vhYNzfFcEy_t-0e674P2xoFCjj8niQ7YFMcO0BgaDg>