SSH is configured to allow MD5 and 96-bit MAC algorithms

system · February 17, 2015, 12:02am

Hi There

##########################
Following is my current configuration on Vyatta device:-

vyatta@vyatta:/etc/ssh$ cat ssh_config | grep md5

MACs hmac-md5,hmac-sha1,[email protected],hmac-ripemd160

I need to disable MD5 and 96-bit MAC algorithms.
##########################

The following options would be available after eliminating the weak algorithms:-

[email protected],[email protected],
[email protected],[email protected],
[email protected],hmac-sha1,[email protected],
hmac-sha2-256,hmac-sha2-512,hmac-ripemd160

##########################
any advice how can I fix it and please let me know if any additional information is required.

Thanks in advance !!

carl.byington · February 17, 2015, 12:52am

Note that /etc/ssh/ssh_config is for the ssh client - outgoing ssh connections from the router. For incoming ssh connections into the router, you want /etc/ssh/sshd_config.

See http://forum.vyos.net/showthread.php?tid=6439 for some extensions. Note that “set service ssh ciphers” is already in Vyos.

system · February 17, 2015, 10:28pm

Here is some basic information about Vyatta in use

Version: VSE6.6R6
Description: Brocade Vyatta 5415 vRouter 6.6 R6
Copyright: 2006-2014 Vyatta, Inc.
Built by: [email protected]
Built on: Thu Jun 26 23:44:07 UTC 2014
########################################

Also when I see /etc/ssh/sshd_config, I can`t find any value for either MD5 or MAC

vyatta@vyatta:/etc/ssh$ cat sshd_config | grep md5

but it does exits for ssh_config as shown below

vyatta@vyatta:/etc/ssh$ cat ssh_config | grep md5

MACs hmac-md5,hmac-sha1,[email protected],hmac-ripemd160

########################################

We are using Nessus scans and md5 findings are being reported under “plugins 26928 & 35291”

carl.byington · February 18, 2015, 1:27am

That is a subscription edition - you should be able to get support from Brocade.

Yes, vyatta/vyos have not (by default) changed the compiled in defaults for ciphers and hashes on the server side. See “man sshd_config”

system · March 17, 2015, 10:48pm

Sorry for brining up the old post once again. Here is my current configuration for both incoming and outgoing SSH connections. Would that be good enough to fix the vulnerability ? Any sugesstions.

=> Outgoing ssh connections from the router:-

vyatta@vyatta:/etc/ssh$ cat ssh_config | grep md5

MACs hmac-md5,hmac-sha1,[email protected],hmac-ripemd160

=================

=> For incoming ssh connections into the router

vyatta@vyatta:/etc/ssh$ cat /etc/ssh/sshd_config | match Ciphers
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour

vyatta@vyatta:/etc/ssh$ cat /etc/ssh/sshd_config | match Mac
Macs hmac-sha1,hmac-ripemd160

ravenium · March 26, 2015, 11:42pm

You should be able to do this via the configuration menu. For ciphers:

yourvyosbox> set service ssh ciphers
Possible completions:
Cipher string
3des-cbc 3DES CBC
aes128-cbc AES 128 CBC
aes192-cbc AES 192 CBC
aes256-cbc AES 256 CBC
aes128-ctr AES 128 CTR
aes192-ctr AES 192 CTR
aes256-ctr AES 256 CTR
arcfour128 AC4 128
arcfour256 AC4 256
arcfour AC4
blowfish-cbc Blowfish CBC
cast128-cbc CAST 128 CBC

Detailed information:
Multiple ciphers can be specified as a comma-separated list.

yourvyosbox>set service ssh macs

Possible completions:
Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated. See ‘man sshd_config’ for supported MACs.

Labudaman · February 26, 2016, 8:49pm

try to search ransomeware codes, aes-128 is one of their favourite, so decryption key against it show you branch of aes http://sureshotsoftware.com/guides/locky/.