[PAM][TAP] TA 2.2.3 - SSH has 3DES and ARC4 ciphers enabled
Article ID: 209642
Updated On:
Products
Issue/Introduction
Vulnerability Test was performed against TA 2.2.3 to find 22/tcp port had 3DES and ARCFOUR ciphers enabled.
Please provide steps to remove these ciphers.
Environment
Release : 2.2.3
Component : THREAT ANALYTICS FOR PRIVILEGED ACCESS MANAGER
Resolution
WARNING: As this is a critical configuration which may result in loss of access to TA, please take a snapshot of the VM before performing this activity.
Firstly we need to know what ciphers (and other algorithms) are enabled by default so that we can make a new list to remove the unwanted ciphers (and other algorithms).
Following is a nmap tool scan on the tcp port 22.
| PORT STATE SERVICE 22/tcp open ssh | ssh2-enum-algos: | kex_algorithms: (8) | [email protected] | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 | ecdh-sha2-nistp521 | diffie-hellman-group-exchange-sha256 | diffie-hellman-group-exchange-sha1 | diffie-hellman-group14-sha1 | diffie-hellman-group1-sha1 | server_host_key_algorithms: (3) | ssh-rsa | ecdsa-sha2-nistp256 | ssh-ed25519 | encryption_algorithms: (16) | aes128-ctr | aes192-ctr | aes256-ctr | arcfour256 | arcfour128 | [email protected] | [email protected] | [email protected] | aes128-cbc | 3des-cbc | blowfish-cbc | cast128-cbc | aes192-cbc | aes256-cbc | arcfour | [email protected] | mac_algorithms: (19) | [email protected] | [email protected] | [email protected] | [email protected] | [email protected] | [email protected] | [email protected] | [email protected] | [email protected] | hmac-md5 | hmac-sha1 | [email protected] | [email protected] | hmac-sha2-256 | hmac-sha2-512 | hmac-ripemd160 | [email protected] | hmac-sha1-96 | hmac-md5-96 | compression_algorithms: (2) | none |_ [email protected] |
Now that we have a full list, we can then remove those unwanted Ciphers as below.
| aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected],aes128-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,[email protected] |
SSH to TAP server as interlock. Then run "sudo su" to become root user.
Then modify the "/etc/ssh/sshd_config" file by addin the following.
| Ciphers aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected],aes128-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,[email protected] |
Restart sshd
# systemctl restart sshd.service
Then do vulnerability scan again.
| PORT STATE SERVICE 22/tcp open ssh | ssh2-enum-algos: | kex_algorithms: (8) | [email protected] | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 | ecdh-sha2-nistp521 | diffie-hellman-group-exchange-sha256 | diffie-hellman-group-exchange-sha1 | diffie-hellman-group14-sha1 | diffie-hellman-group1-sha1 | server_host_key_algorithms: (3) | ssh-rsa | ecdsa-sha2-nistp256 | ssh-ed25519 | encryption_algorithms: (12) | aes128-ctr | aes192-ctr | aes256-ctr | [email protected] | [email protected] | [email protected] | aes128-cbc | blowfish-cbc | cast128-cbc | aes192-cbc | aes256-cbc | [email protected] | mac_algorithms: (19) | [email protected] | [email protected] | [email protected] | [email protected] | [email protected] | [email protected] | [email protected] | [email protected] | [email protected] | hmac-md5 | hmac-sha1 | [email protected] | [email protected] | hmac-sha2-256 | hmac-sha2-512 | hmac-ripemd160 | [email protected] | hmac-sha1-96 | hmac-md5-96 | compression_algorithms: (2) | none |_ [email protected] |
As you can see above, nmap has scanned the port and the unwanted 3DES and ARCFOUR ciphers are no longer present.
You can apply the same for the algorithms as well.
Following switches can be used in the sshd_config file.
Ciphers
HostKeyAlgorithms
KexAlgorithms
MACs
Feedback
