SSH is configured to allow MD5 and 96-bit MAC algorithms


#1

Hi There

##########################
Following is my current configuration on Vyatta device:-

vyatta@vyatta:/etc/ssh$ cat ssh_config | grep md5

MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160

I need to disable MD5 and 96-bit MAC algorithms.
##########################

The following options would be available after eliminating the weak algorithms:-

hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,
hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
hmac-ripemd160-etm@openssh.com,hmac-sha1,umac-128@openssh.com,
hmac-sha2-256,hmac-sha2-512,hmac-ripemd160

##########################
any advice how can I fix it and please let me know if any additional information is required.

Thanks in advance !!


#2

Note that /etc/ssh/ssh_config is for the ssh client - outgoing ssh connections from the router. For incoming ssh connections into the router, you want /etc/ssh/sshd_config.

See http://forum.vyos.net/showthread.php?tid=6439 for some extensions. Note that “set service ssh ciphers” is already in Vyos.


#3

Here is some basic information about Vyatta in use

Version: VSE6.6R6
Description: Brocade Vyatta 5415 vRouter 6.6 R6
Copyright: 2006-2014 Vyatta, Inc.
Built by: autobuild@vyatta.com
Built on: Thu Jun 26 23:44:07 UTC 2014
########################################

Also when I see /etc/ssh/sshd_config, I can`t find any value for either MD5 or MAC

vyatta@vyatta:/etc/ssh$ cat sshd_config | grep md5

but it does exits for ssh_config as shown below

vyatta@vyatta:/etc/ssh$ cat ssh_config | grep md5

MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160

########################################

We are using Nessus scans and md5 findings are being reported under “plugins 26928 & 35291”


#4

That is a subscription edition - you should be able to get support from Brocade.

Yes, vyatta/vyos have not (by default) changed the compiled in defaults for ciphers and hashes on the server side. See “man sshd_config”


#5

Sorry for brining up the old post once again. Here is my current configuration for both incoming and outgoing SSH connections. Would that be good enough to fix the vulnerability ? Any sugesstions.

=> Outgoing ssh connections from the router:-

vyatta@vyatta:/etc/ssh$ cat ssh_config | grep md5

MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160

=================

=> For incoming ssh connections into the router

vyatta@vyatta:/etc/ssh$ cat /etc/ssh/sshd_config | match Ciphers
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour

vyatta@vyatta:/etc/ssh$ cat /etc/ssh/sshd_config | match Mac
Macs hmac-sha1,hmac-ripemd160


#6

You should be able to do this via the configuration menu. For ciphers:

yourvyosbox> set service ssh ciphers
Possible completions:
Cipher string
3des-cbc 3DES CBC
aes128-cbc AES 128 CBC
aes192-cbc AES 192 CBC
aes256-cbc AES 256 CBC
aes128-ctr AES 128 CTR
aes192-ctr AES 192 CTR
aes256-ctr AES 256 CTR
arcfour128 AC4 128
arcfour256 AC4 256
arcfour AC4
blowfish-cbc Blowfish CBC
cast128-cbc CAST 128 CBC

Detailed information:
Multiple ciphers can be specified as a comma-separated list.

yourvyosbox>set service ssh macs

Possible completions:
Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated. See ‘man sshd_config’ for supported MACs.


#7

try to search ransomeware codes, aes-128 is one of their favourite, so decryption key against it show you branch of aes http://sureshotsoftware.com/guides/locky/.