Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 17 Feb 2020 15:46:38 +0000
From:      Earl A Ramirez <earlaramirez@gmail.com>
To:        Shamim Shahriar <shamim.shahriar@gmail.com>
Cc:        "freebsd-questions@FreeBSD.org" <freebsd-questions@freebsd.org>
Subject:   Re: disabling "weak" algorithms in sshd
Message-ID:  <CAP6-ctQ-vhYNzfFcEy_t-0e674P2xoFCjj8niQ7YFMcO0BgaDg@mail.gmail.com>
In-Reply-To: <CAOyJeZTbbkpznciYMaCOWswrtDDbo9AGiBdw3i6tcaz__CjS%2BQ@mail.gmail.com>
References:  <CAOyJeZTbbkpznciYMaCOWswrtDDbo9AGiBdw3i6tcaz__CjS%2BQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, 17 Feb 2020 at 15:09, Shamim Shahriar <shamim.shahriar@gmail.com>
wrote:

> Good afternoon all
>
> I had been googling for quite some time and so far came up empty, maybe
> someone can shed some light or point me to the correct direction.
>
> I have introduced a bunch of servers into an infrastructure that previously
> had zero FreeBSD system. They make use of Tenable Security Centre (
> tenable.com) which I believe used Nessus in the backend to identify
> vulnerabilities. Amongst other things, it is picking up on (tenable/nessus
> plugin ID 90317) "SSH Weak Algorithms Supported) because the server allows
> "none" algorithms.
>
> Is there any way to "select" or "selectively disable" algorithms and hashes
> from sshd? According to various web sources, certain implementation on
> certain distributions might have options to amend the list, but none of the
> examples I have found worked on my FreeBSD system.
>
> Would appreciate if someone could please point me to the correct direction.
>
> I have been using the following lines to get mitigate Nessus findings in
the sshd_config

# Permit supported Ciphers, MAC and Algorithms
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,
aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
umac-128-etm@openssh.com
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256



-- 
Kind Regards
Earl Ramirez

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAP6-ctQ-vhYNzfFcEy_t-0e674P2xoFCjj8niQ7YFMcO0BgaDg>