Date: Thu, 10 Feb 2022 17:36:56 -0700 (MST) From: Dale Scott <dalescott@shaw.ca> To: Michael Sierchio <kudzu@tenebras.com> Cc: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: how to disable support for MD5 in ssh server Message-ID: <794833962.575681741.1644539816770.JavaMail.zimbra@shaw.ca> In-Reply-To: <CAHu1Y71zJMTFu5W28_bgFqOKKsgMXcR3a%2BTWqVQdp78pt8O90w@mail.gmail.com> References: <1764040332.569007319.1644431923007.JavaMail.zimbra@shaw.ca> <CAHu1Y71zJMTFu5W28_bgFqOKKsgMXcR3a%2BTWqVQdp78pt8O90w@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--=_6a2cdd8d-89f3-4714-afd7-49495517082b Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit The report was bunk (or at least the part that alarmed me). After following a few rabbit holes I finally realized most of the issues were coming from a dot com TLD with the same domain name that had been included in my scorecard. I'm assuming SecurityScorecard 's analytics defaults to assuming anyone who cares probably owns all the common TLDs variants for their domain name. I challenged the relevent issues and they are being removed from my scorecard. However I don't consider this exercise as a total waste of time. They found a VNC service I had forgotten I enabled (a VirtualBox vm console), they confirmed I hadn't done anything else stupid, and, after wading through the noise, I now know twice as much about my server as I did before. ;-) Thanks everyone for your help. > From: "Michael Sierchio" <kudzu@tenebras.com> > To: "freebsd-questions" <freebsd-questions@freebsd.org> > Sent: Thursday, February 10, 2022 3:16:35 PM > Subject: Re: how to disable support for MD5 in ssh server > On Wed, Feb 9, 2022 at 10:39 AM Dale Scott < [ mailto:dalescott@shaw.ca | > dalescott@shaw.ca ] > wrote: >> Hi all, I'm a security novice so I signed up with SecurityScorecard for a >> review. >> My scorecard has 3 points subtracted because "The SSH server is configured to >> support MD5 algorithm." >> I've read through SSHD_CONFIG(5) and the Ciphers section doesn't include MD5 in >> defaults. >> I also don't see MD5 listed in the response to "# sshd -T | grep >> "\(ciphers\|macs\|kexalgorithms\)" > I would conclude that SecurityScorecard is bunk, incompetent, a waste of time. > sshd -T | grep "\(ciphers\|macs\|kexalgorithms\|hostkeyalgorithms\)" > Certainly says what your server is willing to negotiate. Who knows why they came > the conclusion they did. --=_6a2cdd8d-89f3-4714-afd7-49495517082b Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable <html><body><div style=3D"font-family: arial, helvetica, sans-serif; font-s= ize: 10pt; color: #000000"><div>The report was bunk (or at least the part t= hat alarmed me). After following a few rabbit holes I finally realized most= of the issues were coming from a dot com TLD with the same domain name tha= t had been included in my scorecard. I'm assuming SecurityScorecard 's anal= ytics defaults to assuming anyone who cares probably owns all the common TL= Ds variants for their domain name. I challenged the relevent issues and the= y are being removed from my scorecard.</div><div><br data-mce-bogus=3D"1"><= /div><div>However I don't consider this exercise as a total waste of time. = They found a VNC service I had forgotten I enabled (a VirtualBox vm console= ), they confirmed I hadn't done anything else stupid, and, after wading thr= ough the noise, I now know twice as much about my server as I did before. ;= -)</div><div><br data-mce-bogus=3D"1"></div><div>Thanks everyone for your h= elp.</div><div><br data-mce-bogus=3D"1"></div><hr id=3D"zwchr" data-marker= =3D"__DIVIDER__"><div data-marker=3D"__HEADERS__"><blockquote style=3D"bord= er-left:2px solid #1010FF;margin-left:5px;padding-left:5px;color:#000;font-= weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,= Arial,sans-serif;font-size:12pt;"><b>From: </b>"Michael Sierchio" <kudzu= @tenebras.com><br><b>To: </b>"freebsd-questions" <freebsd-questions@f= reebsd.org><br><b>Sent: </b>Thursday, February 10, 2022 3:16:35 PM<br><b= >Subject: </b>Re: how to disable support for MD5 in ssh server<br></blockqu= ote></div><div data-marker=3D"__QUOTED_TEXT__"><blockquote style=3D"border-= left:2px solid #1010FF;margin-left:5px;padding-left:5px;color:#000;font-wei= ght:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Ari= al,sans-serif;font-size:12pt;"><div dir=3D"ltr"><div dir=3D"ltr"><br></div>= <br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Wed= , Feb 9, 2022 at 10:39 AM Dale Scott <<a href=3D"mailto:dalescott@shaw.c= a" target=3D"_blank" rel=3D"nofollow noopener noreferrer">dalescott@shaw.ca= </a>> wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:= 0px 0px 0px 0.8ex;border-left:1px solid rgb( 204 , 204 , 204 );padding-left= :1ex">Hi all, I'm a security novice so I signed up with SecurityScorecard f= or a review.<br> <br> My scorecard has 3 points subtracted because "The SSH server is configured = to support MD5 algorithm." <br> <br> I've read through SSHD_CONFIG(5) and the Ciphers section doesn't include MD= 5 in defaults.<br> <br> I also don't see MD5 listed in the response to "# sshd -T | grep "\(ciphers= \|macs\|kexalgorithms\)"<br></blockquote><br><div> <p class=3D"gmail-p1" style=3D"margin:0px;font-stretch:normal;font-size:11p= x;line-height:normal;font-family:'roboto mono';color:rgb( 0 , 0 , 0 )"><br>= </p><p class=3D"gmail-p1" style=3D"margin:0px;font-stretch:normal;font-size= :11px;line-height:normal;font-family:'roboto mono';color:rgb( 0 , 0 , 0 )">= <span style=3D"color:rgb( 34 , 34 , 34 );font-family:'arial' , 'helvetica' = , sans-serif;font-size:small">I would conclude that SecurityScorecard is bu= nk, incompetent, a waste of time. <br></span><br></p><p class=3D= "gmail-p1" style=3D"font-stretch:normal;font-size:11px;line-height:normal;f= ont-family:'roboto mono';margin:0px;color:rgb( 0 , 0 , 0 )"><span class=3D"= gmail-s1">sshd -T | grep "\(ciphers\|macs\|kexalgorithms\|hostkeyalgorithms= \)"</span></p><p class=3D"gmail-p1" style=3D"margin:0px;font-stretch:normal= ;font-size:11px;line-height:normal;font-family:'roboto mono';color:rgb( 0 ,= 0 , 0 )"><br class=3D"gmail-Apple-interchange-newline"></p><p class=3D"gma= il-p1" style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:n= ormal;font-family:'roboto mono';color:rgb( 0 , 0 , 0 )"><span style=3D"colo= r:rgb( 34 , 34 , 34 );font-family:'arial' , 'helvetica' , sans-serif;font-s= ize:small">Certainly says what your server is willing to negotiate. W= ho knows why they came the conclusion they did.</span><br></p><p class=3D"g= mail-p1" style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height= :normal;font-family:'roboto mono';color:rgb( 0 , 0 , 0 )"><span style=3D"co= lor:rgb( 34 , 34 , 34 );font-family:'arial' , 'helvetica' , sans-serif;font= -size:small"><br></span></p></div> </div></div><br></blockquote></div></div></body></html> --=_6a2cdd8d-89f3-4714-afd7-49495517082b--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?794833962.575681741.1644539816770.JavaMail.zimbra>