efa-project.org


https://forum.efa-project.org/

ssh vulnerable

https://forum.efa-project.org/viewtopic.php?t=5308

Page 1 of 1

ssh vulnerable

Posted: 25 Dec 2023 08:41
by tesme33
Hi

there is a weakness in SSH with can be used to exploid connections.

Code: Select all

https://forum.netgate.com/topic/184941/terrapin-ssh-attack

Code: Select all

https://cloud.google.com/knowledge/kb/disable-weak-ssh-ciphers-for-compute-engine-linux-vms-000004592


How to check :

Code: Select all

nmap --script ssh2-enum-algos -sV -p 22 <IP>
Workaround (on Centos 7 !! for other releases use sshd -T | grep -i 'cipher' to check available ciphers and remove the chacha20-poly1305@openssh.com from the list before adding to sshd_config ):

add the following line to your /etc/ssh/sshd_config

Code: Select all

ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
and restart the service.

Code: Select all

service sshd restart

I know the etm based MAC are also weak but not as easy as the cipher itself.

Re: ssh vulnerable

Posted: 25 Dec 2023 16:04
by tesme33
Hi
checked a little bit some other sources also and it seem that disabling the -etm macs is also advisable.

Same as for ciphers.

get the current list of macs:

Code: Select all

sshd -T | grep -i 'mac'
remove the ones with -etm in the name and add a line at the end to /etc/sshd/config.

sample for centos 7:

Code: Select all

macs umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited