Is there a preferred method for disabling CBC Mode Ciphers from the ssh config? Below is the Nessus scan result;
--------------------------------------------------------
70658 - SSH Server CBC Mode Ciphers Enabled
Synopsis
The SSH server is configured to use Cipher Block Chaining.
Description
The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to recover the plaintext message from the ciphertext.
Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software versions.
Solution
Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
1.9 (CVSS2#E:U/RL:OF/RC:C)
References
BID 32319
CVE CVE-2008-5161
XREF CERT:958563
XREF CWE:200
Plugin Information:
Published: 2013/10/28, Modified: 2018/07/30
Plugin Output
tcp/22
The following client-to-server Cipher Block Chaining (CBC) algorithms
are supported :
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
blowfish-cbc
cast128-cbc
The following server-to-client Cipher Block Chaining (CBC) algorithms
are supported :
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
blowfish-cbc
cast128-cbc
--------------------------------------------------------
There are no Ciphers specifically named in the /etc/ssh/sshd_config but these "cbc" ciphers are listen in the list of defaults.
Can I simply add a Ciphers config line, calling out all other ciphers, except the "cbc" ones? If so, would I need to do this in both the sshd_config and ssh_config files?
Thanks
-LB
Disable of remove CBC Mode Ciphers
-
hunter86_bg
- Posts: 2019
- Joined: 2015/02/17 15:14:33
- Location: Bulgaria
- Contact:
Re: Disable of remove CBC Mode Ciphers
Actually you answered your question. Define all but the weak ones. Configure sshd - for the server and ssh - for connections from this machine. Usually security auditors mean the server.
Check this one .
Hint: ssh daemon has a built in syntax checker. Use sshd -t to test the config, while sshd -T to test and show current settings.
At the end, just reload the daemon.
Check this one .
Hint: ssh daemon has a built in syntax checker. Use sshd -t to test the config, while sshd -T to test and show current settings.
At the end, just reload the daemon.
[Solved] Re: Disable of remove CBC Mode Ciphers
Thanks for the response!
I did just that, enabled the stronger ciphers only by adding the Ciphers option in /etc/ssh/sshd_config and ssh_config.
==========
Added the this line to /etc/ssh/sshd_config and /etc/ssh/ssh_config then restarted sshd, systemctl restart sshd
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
Clean Nessus scan now.
Cheers!
-LB
I did just that, enabled the stronger ciphers only by adding the Ciphers option in /etc/ssh/sshd_config and ssh_config.
==========
Added the this line to /etc/ssh/sshd_config and /etc/ssh/ssh_config then restarted sshd, systemctl restart sshd
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
Clean Nessus scan now.
Cheers!
-LB