星期四, 9月 22, 2016

Disable Cipher Block Chaining (CBC) Mode Ciphers and Weak MAC Algorithms in SSH

話說今天使用OpenVAS做弱點掃描的時候,發現弱點
SSH Weak Encryption Algorithms Supported

Vulnerability Detection Result
The following weak client-to-server encryption algorithms are supported by the remote serv↵
ice:

aes128-cbc
arcfour256
cast128-cbc
aes192-cbc
3des-cbc
arcfour128
rijndael-cbc@lysator.liu.se
aes256-cbc
arcfour
blowfish-cbc

The following weak server-to-client encryption algorithms are supported by the remote serv↵
ice:

aes128-cbc
arcfour256
cast128-cbc
aes192-cbc
3des-cbc
arcfour128
rijndael-cbc@lysator.liu.se
aes256-cbc
arcfour
blowfish-cbc
稍微爬了一下,發現解決方法也很簡單,打開SSH加入以下內容
vi /etc/ssh/sshd_config

Ciphers aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha1
重新啟動服務
systemctl restart sshd
打完收工

Reference

How to harden SSH on CentOS 6.5

FAQ: How do I disable Cipher Block Chaining (CBC) Mode Ciphers and Weak MAC Algorithms in SSH in IBM PureData System for Operational Analytics

沒有留言: