From owner-freebsd-questions@freebsd.org Mon Feb 17 16:40:38 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5B06C23E484 for ; Mon, 17 Feb 2020 16:40:38 +0000 (UTC) (envelope-from shamim.shahriar@gmail.com) Received: from mail-qt1-x831.google.com (mail-qt1-x831.google.com [IPv6:2607:f8b0:4864:20::831]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48LqVF2C4cz3Hpk for ; Mon, 17 Feb 2020 16:40:37 +0000 (UTC) (envelope-from shamim.shahriar@gmail.com) Received: by mail-qt1-x831.google.com with SMTP id t13so12466385qto.3 for ; Mon, 17 Feb 2020 08:40:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CnsN3DayxzZPzNU2sJUQT3ThOI3EF3ZYqaC1A7+3pJ0=; b=MY6Q9P1mnj4lRaKfg+lPh/YvsY/nt6BG2kYR/tlItgLIxUnnKTm0phgH8OC7IGgK07 W6HUOWaTAAKMLvmDbtQwfxYxYbCPv5lkICDGWuBOMqHMBDqeI6UQVGVJ2UMkAVeYvfqM e6nePYTlvYIFjXVG5/CJ9ul1r8dqRQsPEUqTInlcPgJOzyaklMcXin176SQPbV4iyzAR XSnflTSHeRgrDQ1K15gPbFLA2dDc/2b9NWjaPki43YgimqBOJZqf+8C7PD64YU0wSKib XuF3TLQ9wM+/B1qceSQWCIoqoDOq/03pUcg4LK1uAw9AvfkbEqPsn3mUnrlrZy00Ee6x 8u2g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CnsN3DayxzZPzNU2sJUQT3ThOI3EF3ZYqaC1A7+3pJ0=; b=rbN5cIbbUe7amhyOY5J4HQDQc0IZbGFMibD/PpdpAeqygw803VmlReVkHnLrnAitUG uqGZhmeQGUzSUzs7dwR6Cg+dlkE17oD4J0MzHSYQ7wgGZOcZ7VNhAn+bR5D5jfJ2jiU1 dm21ETV+eQwhbLZtFZXUD6Avz+XXj7eaedthzQmAxG6nec9C4b9y+ukZZCN27ucvXitw YNngGj9qMdqwj1TGrUqFbyS7382pXk5XeGnnCpG55P6pJkY2BCPdyTG52smLrRiKFcIr NDJ6oP4KpxXNe3ONYCxs5WTtKWQGQotWGOA6cCmexvQ7m3R1Cx5cWcwCymzGIl6qUUFy YWBg== X-Gm-Message-State: APjAAAV1Kt55pOwwZjhzixWAmR4RAnToCzomMiNEPufXvlj+MKHEISTv Yt8VVDpl6dEq95wZgahJNoz3shm+C8+vMFgQxSf3 X-Google-Smtp-Source: APXvYqyPR1A3E/V6RyTwgcnsrMD2G92ELTuhUl4dlsxQOaNsegJtee0oR/7z0ht4yhVEFgVupcRzUUEcJJ59wu3iNX4= X-Received: by 2002:aed:2510:: with SMTP id v16mr14034675qtc.306.1581957636066; Mon, 17 Feb 2020 08:40:36 -0800 (PST) MIME-Version: 1.0 References: <79ccdac5-a26b-7a21-5ecb-014d526265c6@where-ever.za.net> In-Reply-To: <79ccdac5-a26b-7a21-5ecb-014d526265c6@where-ever.za.net> From: Shamim Shahriar Date: Mon, 17 Feb 2020 16:40:24 +0000 Message-ID: Subject: Re: disabling "weak" algorithms in sshd To: Vikashb Badal Cc: "freebsd-questions@FreeBSD.org" X-Rspamd-Queue-Id: 48LqVF2C4cz3Hpk X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=MY6Q9P1m; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of shamimshahriar@gmail.com designates 2607:f8b0:4864:20::831 as permitted sender) smtp.mailfrom=shamimshahriar@gmail.com X-Spamd-Result: default: False [-3.00 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; FROM_EQ_ENVFROM(0.00)[]; IP_SCORE(0.00)[ip: (-9.21), ipnet: 2607:f8b0::/32(-1.89), asn: 15169(-1.68), country: US(-0.05)]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; IP_SCORE_FREEMAIL(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[1.3.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Feb 2020 16:40:38 -0000 Thank you all for your suggestions, very much appreciated. I did put in the cipher list, but not the MAC or KexAlgorithms, maybe that will make some change to the report. I will put it in and in case the vulnerability pops up again, I'll get back to you. Kind regards SK On Mon, 17 Feb 2020 at 15:51, Vikashb Badal wrote: > > On 17/02/2020 17:09, Shamim Shahriar wrote: > > Good afternoon all > > > > I had been googling for quite some time and so far came up empty, maybe > > i don't know if there is a best practice for these atm, i usually update > /etc/ssh/shd_config and add/replace: > > Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128 > MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160 > > https://man.openbsd.org/sshd_config#Ciphers > > https://man.openbsd.org/sshd_config#MACs > > > "ssh -Q cipher" and "ssh -Q mac" will provide you a list of ciphers > currently > allowed, > > > > someone can shed some light or point me to the correct direction. > > > > I have introduced a bunch of servers into an infrastructure that > previously > > had zero FreeBSD system. They make use of Tenable Security Centre ( > > tenable.com) which I believe used Nessus in the backend to identify > > vulnerabilities. Amongst other things, it is picking up on > (tenable/nessus > > plugin ID 90317) "SSH Weak Algorithms Supported) because the server > allows > > "none" algorithms. > > > > Is there any way to "select" or "selectively disable" algorithms and > hashes > > from sshd? According to various web sources, certain implementation on > > certain distributions might have options to amend the list, but none of > the > > examples I have found worked on my FreeBSD system. > > > > Would appreciate if someone could please point me to the correct > direction. > > > > Kind regards > > SK > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" >