[PAM][TAP] TA 2.2.3 - SSH has 3DES and ARC4 ciphers enabled

book

Article ID: 209642

calendar_today

Updated On:

Products

CA Threat Analytics for PAM

Issue/Introduction

Vulnerability Test was performed against TA 2.2.3 to find 22/tcp port had 3DES and ARCFOUR ciphers enabled.

Please provide steps to remove these ciphers.

Environment

Release : 2.2.3

Component : THREAT ANALYTICS FOR PRIVILEGED ACCESS MANAGER

Resolution

WARNING: As this is a critical configuration which may result in loss of access to TA, please take a snapshot of the VM before performing this activity.

Firstly we need to know what ciphers (and other algorithms) are enabled by default so that we can make a new list to remove the unwanted ciphers (and other algorithms).

Following is a nmap tool scan on the tcp port 22.

PORT     STATE  SERVICE
22/tcp   open   ssh
| ssh2-enum-algos: 
|   kex_algorithms: (8)
|       [email protected]
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       diffie-hellman-group-exchange-sha256
|       diffie-hellman-group-exchange-sha1
|       diffie-hellman-group14-sha1
|       diffie-hellman-group1-sha1
|   server_host_key_algorithms: (3)
|       ssh-rsa
|       ecdsa-sha2-nistp256
|       ssh-ed25519
|   encryption_algorithms: (16)
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|       arcfour256
|       arcfour128
|       [email protected]
|       [email protected]
|       [email protected]
|       aes128-cbc
|       3des-cbc
|       blowfish-cbc
|       cast128-cbc
|       aes192-cbc
|       aes256-cbc
|       arcfour
|       [email protected]
|   mac_algorithms: (19)
|       [email protected]
|       [email protected]
|       [email protected]
|       [email protected]
|       [email protected]
|       [email protected]
|       [email protected]
|       [email protected]
|       [email protected]
|       hmac-md5
|       hmac-sha1
|       [email protected]
|       [email protected]
|       hmac-sha2-256
|       hmac-sha2-512
|       hmac-ripemd160
|       [email protected]
|       hmac-sha1-96
|       hmac-md5-96
|   compression_algorithms: (2)
|       none
|_      [email protected]

 

Now that we have a full list, we can then remove those unwanted Ciphers as below.

aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected],aes128-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,[email protected]

 

SSH to TAP server as interlock. Then run "sudo su" to become root user.

Then modify the "/etc/ssh/sshd_config" file by addin the following.

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected],aes128-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,[email protected]

Restart sshd

# systemctl restart sshd.service

 

Then do vulnerability scan again.

PORT     STATE  SERVICE
22/tcp   open   ssh
| ssh2-enum-algos: 
|   kex_algorithms: (8)
|       [email protected]
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       diffie-hellman-group-exchange-sha256
|       diffie-hellman-group-exchange-sha1
|       diffie-hellman-group14-sha1
|       diffie-hellman-group1-sha1
|   server_host_key_algorithms: (3)
|       ssh-rsa
|       ecdsa-sha2-nistp256
|       ssh-ed25519
|   encryption_algorithms: (12)
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|       [email protected]
|       [email protected]
|       [email protected]
|       aes128-cbc
|       blowfish-cbc
|       cast128-cbc
|       aes192-cbc
|       aes256-cbc
|       [email protected]
|   mac_algorithms: (19)
|       [email protected]
|       [email protected]
|       [email protected]
|       [email protected]
|       [email protected]
|       [email protected]
|       [email protected]
|       [email protected]
|       [email protected]
|       hmac-md5
|       hmac-sha1
|       [email protected]
|       [email protected]
|       hmac-sha2-256
|       hmac-sha2-512
|       hmac-ripemd160
|       [email protected]
|       hmac-sha1-96
|       hmac-md5-96
|   compression_algorithms: (2)
|       none
|_      [email protected]

As you can see above, nmap has scanned the port and the unwanted 3DES and ARCFOUR ciphers are no longer present.

 

You can apply the same for the algorithms as well.

Following switches can be used in the sshd_config file.

Ciphers
HostKeyAlgorithms
KexAlgorithms
MACs