Date: Mon, 17 Feb 2020 16:40:24 +0000 From: Shamim Shahriar <shamim.shahriar@gmail.com> To: Vikashb Badal <vikashb@where-ever.za.net> Cc: "freebsd-questions@FreeBSD.org" <freebsd-questions@freebsd.org> Subject: Re: disabling "weak" algorithms in sshd Message-ID: <CAOyJeZS%2BxzaHRe8zeUyXbyLofRGo97p97gvuUHYVeutkFUzJAQ@mail.gmail.com> In-Reply-To: <79ccdac5-a26b-7a21-5ecb-014d526265c6@where-ever.za.net> References: <CAOyJeZTbbkpznciYMaCOWswrtDDbo9AGiBdw3i6tcaz__CjS%2BQ@mail.gmail.com> <79ccdac5-a26b-7a21-5ecb-014d526265c6@where-ever.za.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Thank you all for your suggestions, very much appreciated. I did put in the cipher list, but not the MAC or KexAlgorithms, maybe that will make some change to the report. I will put it in and in case the vulnerability pops up again, I'll get back to you. Kind regards SK On Mon, 17 Feb 2020 at 15:51, Vikashb Badal <vikashb@where-ever.za.net> wrote: > > On 17/02/2020 17:09, Shamim Shahriar wrote: > > Good afternoon all > > > > I had been googling for quite some time and so far came up empty, maybe > > i don't know if there is a best practice for these atm, i usually update > /etc/ssh/shd_config and add/replace: > > Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128 > MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160 > > https://man.openbsd.org/sshd_config#Ciphers > > https://man.openbsd.org/sshd_config#MACs > > > "ssh -Q cipher" and "ssh -Q mac" will provide you a list of ciphers > currently > allowed, > > > > someone can shed some light or point me to the correct direction. > > > > I have introduced a bunch of servers into an infrastructure that > previously > > had zero FreeBSD system. They make use of Tenable Security Centre ( > > tenable.com) which I believe used Nessus in the backend to identify > > vulnerabilities. Amongst other things, it is picking up on > (tenable/nessus > > plugin ID 90317) "SSH Weak Algorithms Supported) because the server > allows > > "none" algorithms. > > > > Is there any way to "select" or "selectively disable" algorithms and > hashes > > from sshd? According to various web sources, certain implementation on > > certain distributions might have options to amend the list, but none of > the > > examples I have found worked on my FreeBSD system. > > > > Would appreciate if someone could please point me to the correct > direction. > > > > Kind regards > > SK > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOyJeZS%2BxzaHRe8zeUyXbyLofRGo97p97gvuUHYVeutkFUzJAQ>