From owner-freebsd-questions@freebsd.org Mon Feb 17 17:02:11 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9397B23F131 for ; Mon, 17 Feb 2020 17:02:11 +0000 (UTC) (envelope-from shamim.shahriar@gmail.com) Received: from mail-qk1-x735.google.com (mail-qk1-x735.google.com [IPv6:2607:f8b0:4864:20::735]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48Lqz63j0Tz4BGg for ; Mon, 17 Feb 2020 17:02:10 +0000 (UTC) (envelope-from shamim.shahriar@gmail.com) Received: by mail-qk1-x735.google.com with SMTP id h4so16853173qkm.0 for ; Mon, 17 Feb 2020 09:02:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=mK+WC/wB0IMt/3gAE9fPvmimlPXhdeyXM6gbclzelRY=; b=NbqR3VLDo5TLIwycx8yqRsGAYip0o3/tjTlZphT9uf8zhP5md81HFMfRoiNJ5KnHGP MarPrMncpp1RmBI9uw6FulrDVxrXJBZDZ/tn6qjsz/ZbeDncDL0UCNM5LVsjnLl9s8mw 1aOyVnehwmiuArajLsCJGkBNaKupSI1Ovw/mcc1G1kxUXanqcovqKpe/q/FRkY0TOOBS h9nazkc46HsuD8HyjwaJWNuDGLvC3o4DU2wl+E7ecZHLOcM009hGZBKg+iQeTs42mKYN ZD1jfNcZhiDpKvgxPzBZM23DIEjyG9JA/AClBUV0uCAv0NG1TnesTmdxxbfVUGVzPAzA Elww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=mK+WC/wB0IMt/3gAE9fPvmimlPXhdeyXM6gbclzelRY=; b=GAcU6Xv94Qx5dFpd29TVc9xb+u+4oFpT+4EVcRo5fdN8B+0KxlLbwW+2+dWJr0Uy0D gDFYphGDN8CqiCHIpoUybWvtDN12y3Gi+dKCC3MVgf1FCjRVkuHKeZ1JHEC8EIHxx3jR FoP9e28KriZmeKGH1+gGj1t2pJlvHLJu8gsid3J9c9UG/fQvgctBMFK93kLQeyahovEp QcHrrD+xoO0v/6x9GaEBC+zcM/bvfkAGTaDfZ8oWVdVtQdzQHDIYTaCcS7uDckeBiOKb toC3fI7u+oLNYBxOGC0b9HK1zT3vFFFHuN4s/VRYweKjiQ56NKUQnETA6ry9NZ2llScK pGHw== X-Gm-Message-State: APjAAAUraLhwx52/EbbWNR1FK+ITm0CCw00cvwz7CVTp3EIMCwfv+aEd E2+FLez4E8Qyd9bkRWhFSfA5/8ql9ZM21n685zFgNso= X-Google-Smtp-Source: APXvYqyjYuCxyWp1pWUpS10wAC2SR4A8Kt6BMLwBYIP9VNIVm/md4EfHc3Qzxi2UqV3hMfLi+YE6hjr+Kqxgy/6xOIM= X-Received: by 2002:a37:2701:: with SMTP id n1mr81757qkn.117.1581958928607; Mon, 17 Feb 2020 09:02:08 -0800 (PST) MIME-Version: 1.0 References: <79ccdac5-a26b-7a21-5ecb-014d526265c6@where-ever.za.net> In-Reply-To: From: Shamim Shahriar Date: Mon, 17 Feb 2020 17:01:57 +0000 Message-ID: Subject: Re: disabling "weak" algorithms in sshd To: "freebsd-questions@FreeBSD.org" X-Rspamd-Queue-Id: 48Lqz63j0Tz4BGg X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=NbqR3VLD; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of shamimshahriar@gmail.com designates 2607:f8b0:4864:20::735 as permitted sender) smtp.mailfrom=shamimshahriar@gmail.com X-Spamd-Result: default: False [-3.00 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_COUNT_TWO(0.00)[2]; RCPT_COUNT_ONE(0.00)[1]; IP_SCORE_FREEMAIL(0.00)[]; IP_SCORE(0.00)[ip: (-9.25), ipnet: 2607:f8b0::/32(-1.89), asn: 15169(-1.68), country: US(-0.05)]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[5.3.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; TO_DN_EQ_ADDR_ALL(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Feb 2020 17:02:11 -0000 Okay, I added the following changes to /etc/ssh/sshd_config Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com, aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com KexAlgorithms curve25519-sha256@libssh.org ,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256 and then restarted the ssh daemon The output for ssh -Q ciphers or ssh -Q mac was identical before and after. Also, Nessus/Tenable is still complaining. Nessus negotiated the following encryption algorithm with the server : The server supports the following options for kex_algorithms : curve25519-sha256@libssh.org diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 The server supports the following options for server_host_key_algorithms : ecdsa-sha2-nistp256 rsa-sha2-256 rsa-sha2-512 ssh-ed25519 ssh-rsa The server supports the following options for encryption_algorithms_client_to_server : aes128-ctr aes128-gcm@openssh.com aes192-ctr aes256-ctr aes256-gcm@openssh.com chacha20-poly1305@openssh.com none The server supports the following options for encryption_algorithms_server_to_client : aes128-ctr aes128-gcm@openssh.com aes192-ctr aes256-ctr aes256-gcm@openssh.com chacha20-poly1305@openssh.com none The server supports the following options for mac_algorithms_client_to_server : hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com umac-128-etm@openssh.com The server supports the following options for mac_algorithms_server_to_client : hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com umac-128-etm@openssh.com The server supports the following options for compression_algorithms_client_to_server : none zlib@openssh.com The server supports the following options for compression_algorithms_server_to_client : none zlib@openssh.com Based on that, I can only assume either the sshd_config file I am updating is not the one in use, or I am doing something wrong. Thanks for your suggestions and recommendations Kind regards SK On Mon, 17 Feb 2020 at 16:40, Shamim Shahriar wrote: > Thank you all for your suggestions, very much appreciated. > > I did put in the cipher list, but not the MAC or KexAlgorithms, maybe that > will make some change to the report. I will put it in and in case the > vulnerability pops up again, I'll get back to you. > > Kind regards > SK > > On Mon, 17 Feb 2020 at 15:51, Vikashb Badal > wrote: > >> >> On 17/02/2020 17:09, Shamim Shahriar wrote: >> > Good afternoon all >> > >> > I had been googling for quite some time and so far came up empty, maybe >> >> i don't know if there is a best practice for these atm, i usually update >> /etc/ssh/shd_config and add/replace: >> >> Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128 >> MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160 >> >> https://man.openbsd.org/sshd_config#Ciphers >> >> https://man.openbsd.org/sshd_config#MACs >> >> >> "ssh -Q cipher" and "ssh -Q mac" will provide you a list of ciphers >> currently >> allowed, >> >> >> > someone can shed some light or point me to the correct direction. >> > >> > I have introduced a bunch of servers into an infrastructure that >> previously >> > had zero FreeBSD system. They make use of Tenable Security Centre ( >> > tenable.com) which I believe used Nessus in the backend to identify >> > vulnerabilities. Amongst other things, it is picking up on >> (tenable/nessus >> > plugin ID 90317) "SSH Weak Algorithms Supported) because the server >> allows >> > "none" algorithms. >> > >> > Is there any way to "select" or "selectively disable" algorithms and >> hashes >> > from sshd? According to various web sources, certain implementation on >> > certain distributions might have options to amend the list, but none of >> the >> > examples I have found worked on my FreeBSD system. >> > >> > Would appreciate if someone could please point me to the correct >> direction. >> > >> > Kind regards >> > SK >> > _______________________________________________ >> > freebsd-questions@freebsd.org mailing list >> > https://lists.freebsd.org/mailman/listinfo/freebsd-questions >> > To unsubscribe, send any mail to " >> freebsd-questions-unsubscribe@freebsd.org" >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to " >> freebsd-questions-unsubscribe@freebsd.org" >> >