Date: Mon, 17 Feb 2020 17:07:12 +0000 From: Shamim Shahriar <shamim.shahriar@gmail.com> To: "freebsd-questions@FreeBSD.org" <freebsd-questions@freebsd.org> Subject: Re: disabling "weak" algorithms in sshd Message-ID: <CAOyJeZRJxBezSQu1wJPWQiq_oa1s2SmxCEPQX8yp2yuC%2BML4XA@mail.gmail.com> In-Reply-To: <CAOyJeZTs85XhEKj71dyzr0YB02CzNfH57_COmBwMcds_Zrrcmg@mail.gmail.com> References: <CAOyJeZTbbkpznciYMaCOWswrtDDbo9AGiBdw3i6tcaz__CjS%2BQ@mail.gmail.com> <79ccdac5-a26b-7a21-5ecb-014d526265c6@where-ever.za.net> <CAOyJeZS%2BxzaHRe8zeUyXbyLofRGo97p97gvuUHYVeutkFUzJAQ@mail.gmail.com> <CAOyJeZTs85XhEKj71dyzr0YB02CzNfH57_COmBwMcds_Zrrcmg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello again I put the modifications to another system, and this one is giving me the correct result (no further reference to the "none" encryption algorithm. This implies there may be a problem with the other server that I will need to look into. Fortunately it is NOT connected to the internet. Thank you all once again for your help and the pointers. Best regards SK On Mon, 17 Feb 2020 at 17:01, Shamim Shahriar <shamim.shahriar@gmail.com> wrote: > Okay, I added the following changes to /etc/ssh/sshd_config > Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com, > aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr > MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, > umac-128-etm@openssh.com > KexAlgorithms curve25519-sha256@libssh.org > ,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256 > > and then restarted the ssh daemon > > The output for ssh -Q ciphers or ssh -Q mac was identical before and after. > > Also, Nessus/Tenable is still complaining. > > Nessus negotiated the following encryption algorithm with the server : > > The server supports the following options for kex_algorithms : > > curve25519-sha256@libssh.org > diffie-hellman-group14-sha256 > diffie-hellman-group16-sha512 > diffie-hellman-group18-sha512 > > The server supports the following options for server_host_key_algorithms : > > ecdsa-sha2-nistp256 > rsa-sha2-256 > rsa-sha2-512 > ssh-ed25519 > ssh-rsa > > The server supports the following options for > encryption_algorithms_client_to_server : > > aes128-ctr > aes128-gcm@openssh.com > aes192-ctr > aes256-ctr > aes256-gcm@openssh.com > chacha20-poly1305@openssh.com > none > > The server supports the following options for > encryption_algorithms_server_to_client : > > aes128-ctr > aes128-gcm@openssh.com > aes192-ctr > aes256-ctr > aes256-gcm@openssh.com > chacha20-poly1305@openssh.com > none > > The server supports the following options for > mac_algorithms_client_to_server : > > hmac-sha2-256-etm@openssh.com > hmac-sha2-512-etm@openssh.com > umac-128-etm@openssh.com > > The server supports the following options for > mac_algorithms_server_to_client : > > hmac-sha2-256-etm@openssh.com > hmac-sha2-512-etm@openssh.com > umac-128-etm@openssh.com > > The server supports the following options for > compression_algorithms_client_to_server : > > none > zlib@openssh.com > > The server supports the following options for > compression_algorithms_server_to_client : > > none > zlib@openssh.com > > Based on that, I can only assume either the sshd_config file I am updating > is not the one in use, or I am doing something wrong. > > Thanks for your suggestions and recommendations > > Kind regards > SK > > > On Mon, 17 Feb 2020 at 16:40, Shamim Shahriar <shamim.shahriar@gmail.com> > wrote: > >> Thank you all for your suggestions, very much appreciated. >> >> I did put in the cipher list, but not the MAC or KexAlgorithms, maybe >> that will make some change to the report. I will put it in and in case the >> vulnerability pops up again, I'll get back to you. >> >> Kind regards >> SK >> >> On Mon, 17 Feb 2020 at 15:51, Vikashb Badal <vikashb@where-ever.za.net> >> wrote: >> >>> >>> On 17/02/2020 17:09, Shamim Shahriar wrote: >>> > Good afternoon all >>> > >>> > I had been googling for quite some time and so far came up empty, maybe >>> >>> i don't know if there is a best practice for these atm, i usually update >>> /etc/ssh/shd_config and add/replace: >>> >>> Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128 >>> MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160 >>> >>> https://man.openbsd.org/sshd_config#Ciphers >>> >>> https://man.openbsd.org/sshd_config#MACs >>> >>> >>> "ssh -Q cipher" and "ssh -Q mac" will provide you a list of ciphers >>> currently >>> allowed, >>> >>> >>> > someone can shed some light or point me to the correct direction. >>> > >>> > I have introduced a bunch of servers into an infrastructure that >>> previously >>> > had zero FreeBSD system. They make use of Tenable Security Centre ( >>> > tenable.com) which I believe used Nessus in the backend to identify >>> > vulnerabilities. Amongst other things, it is picking up on >>> (tenable/nessus >>> > plugin ID 90317) "SSH Weak Algorithms Supported) because the server >>> allows >>> > "none" algorithms. >>> > >>> > Is there any way to "select" or "selectively disable" algorithms and >>> hashes >>> > from sshd? According to various web sources, certain implementation on >>> > certain distributions might have options to amend the list, but none >>> of the >>> > examples I have found worked on my FreeBSD system. >>> > >>> > Would appreciate if someone could please point me to the correct >>> direction. >>> > >>> > Kind regards >>> > SK >>> > _______________________________________________ >>> > freebsd-questions@freebsd.org mailing list >>> > https://lists.freebsd.org/mailman/listinfo/freebsd-questions >>> > To unsubscribe, send any mail to " >>> freebsd-questions-unsubscribe@freebsd.org" >>> _______________________________________________ >>> freebsd-questions@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >>> To unsubscribe, send any mail to " >>> freebsd-questions-unsubscribe@freebsd.org" >>> >>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOyJeZRJxBezSQu1wJPWQiq_oa1s2SmxCEPQX8yp2yuC%2BML4XA>