Date: Mon, 17 Feb 2020 17:01:57 +0000 From: Shamim Shahriar <shamim.shahriar@gmail.com> To: "freebsd-questions@FreeBSD.org" <freebsd-questions@freebsd.org> Subject: Re: disabling "weak" algorithms in sshd Message-ID: <CAOyJeZTs85XhEKj71dyzr0YB02CzNfH57_COmBwMcds_Zrrcmg@mail.gmail.com> In-Reply-To: <CAOyJeZS%2BxzaHRe8zeUyXbyLofRGo97p97gvuUHYVeutkFUzJAQ@mail.gmail.com> References: <CAOyJeZTbbkpznciYMaCOWswrtDDbo9AGiBdw3i6tcaz__CjS%2BQ@mail.gmail.com> <79ccdac5-a26b-7a21-5ecb-014d526265c6@where-ever.za.net> <CAOyJeZS%2BxzaHRe8zeUyXbyLofRGo97p97gvuUHYVeutkFUzJAQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Okay, I added the following changes to /etc/ssh/sshd_config Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com, aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com KexAlgorithms curve25519-sha256@libssh.org ,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256 and then restarted the ssh daemon The output for ssh -Q ciphers or ssh -Q mac was identical before and after. Also, Nessus/Tenable is still complaining. Nessus negotiated the following encryption algorithm with the server : The server supports the following options for kex_algorithms : curve25519-sha256@libssh.org diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 The server supports the following options for server_host_key_algorithms : ecdsa-sha2-nistp256 rsa-sha2-256 rsa-sha2-512 ssh-ed25519 ssh-rsa The server supports the following options for encryption_algorithms_client_to_server : aes128-ctr aes128-gcm@openssh.com aes192-ctr aes256-ctr aes256-gcm@openssh.com chacha20-poly1305@openssh.com none The server supports the following options for encryption_algorithms_server_to_client : aes128-ctr aes128-gcm@openssh.com aes192-ctr aes256-ctr aes256-gcm@openssh.com chacha20-poly1305@openssh.com none The server supports the following options for mac_algorithms_client_to_server : hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com umac-128-etm@openssh.com The server supports the following options for mac_algorithms_server_to_client : hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com umac-128-etm@openssh.com The server supports the following options for compression_algorithms_client_to_server : none zlib@openssh.com The server supports the following options for compression_algorithms_server_to_client : none zlib@openssh.com Based on that, I can only assume either the sshd_config file I am updating is not the one in use, or I am doing something wrong. Thanks for your suggestions and recommendations Kind regards SK On Mon, 17 Feb 2020 at 16:40, Shamim Shahriar <shamim.shahriar@gmail.com> wrote: > Thank you all for your suggestions, very much appreciated. > > I did put in the cipher list, but not the MAC or KexAlgorithms, maybe that > will make some change to the report. I will put it in and in case the > vulnerability pops up again, I'll get back to you. > > Kind regards > SK > > On Mon, 17 Feb 2020 at 15:51, Vikashb Badal <vikashb@where-ever.za.net> > wrote: > >> >> On 17/02/2020 17:09, Shamim Shahriar wrote: >> > Good afternoon all >> > >> > I had been googling for quite some time and so far came up empty, maybe >> >> i don't know if there is a best practice for these atm, i usually update >> /etc/ssh/shd_config and add/replace: >> >> Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128 >> MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160 >> >> https://man.openbsd.org/sshd_config#Ciphers >> >> https://man.openbsd.org/sshd_config#MACs >> >> >> "ssh -Q cipher" and "ssh -Q mac" will provide you a list of ciphers >> currently >> allowed, >> >> >> > someone can shed some light or point me to the correct direction. >> > >> > I have introduced a bunch of servers into an infrastructure that >> previously >> > had zero FreeBSD system. They make use of Tenable Security Centre ( >> > tenable.com) which I believe used Nessus in the backend to identify >> > vulnerabilities. Amongst other things, it is picking up on >> (tenable/nessus >> > plugin ID 90317) "SSH Weak Algorithms Supported) because the server >> allows >> > "none" algorithms. >> > >> > Is there any way to "select" or "selectively disable" algorithms and >> hashes >> > from sshd? According to various web sources, certain implementation on >> > certain distributions might have options to amend the list, but none of >> the >> > examples I have found worked on my FreeBSD system. >> > >> > Would appreciate if someone could please point me to the correct >> direction. >> > >> > Kind regards >> > SK >> > _______________________________________________ >> > freebsd-questions@freebsd.org mailing list >> > https://lists.freebsd.org/mailman/listinfo/freebsd-questions >> > To unsubscribe, send any mail to " >> freebsd-questions-unsubscribe@freebsd.org" >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to " >> freebsd-questions-unsubscribe@freebsd.org" >> >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOyJeZTs85XhEKj71dyzr0YB02CzNfH57_COmBwMcds_Zrrcmg>