Disabling weak Kex algorithms, HostKey algorithms and encryption algorithms on the Portal
search cancel

Disabling weak Kex algorithms, HostKey algorithms and encryption algorithms on the Portal

book

Article ID: 263231

calendar_today

Updated On:

Products

CA API Developer Portal

Issue/Introduction

On our portal server the below need to be disabled/removed

(rec) -diffie-hellman-group1-sha1 -- kex algorithm to remove

(rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove

(rec) -ecdh-sha2-nistp256 -- kex algorithm to remove

(rec) -ecdh-sha2-nistp384 -- kex algorithm to remove

(rec) -ecdh-sha2-nistp521 -- kex algorithm to remove

(rec) -ecdsa-sha2-nistp256 -- key algorithm to remove

(rec) -3des-cbc -- enc algorithm to remove

(rec) -aes128-cbc -- enc algorithm to remove

(rec) -aes192-cbc -- enc algorithm to remove

(rec) -aes256-cbc -- enc algorithm to remove

Environment

Release : 5.1

Resolution

Apply the appropriate steps mentioned in the below article:

https://www.ssh-audit.com/hardening_guides.html#rhel7

 Details in case link changes: 

RedHat Enterprise Linux 7 Server / CentOS 7 Server Last modified: August 31, 2021

Note: all commands below are to be executed as the root user.

  • Disable automatic re-generation of RSA & ECDSA keys
    sed -i '/ssh_host_rsa_key/d' /usr/lib/systemd/system/sshd-keygen.service
    sed -i '/ssh_host_ecdsa_key/d' /usr/lib/systemd/system/sshd-keygen.service
    systemctl daemon-reload
  • Re-generate the ED25519 key
    rm -f /etc/ssh/ssh_host_*
    ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
    chgrp ssh_keys /etc/ssh/ssh_host_ed25519_key
    chmod g+r /etc/ssh/ssh_host_ed25519_key
  • Remove small Diffie-Hellman moduli
    awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
    mv -f /etc/ssh/moduli.safe /etc/ssh/moduli
  • Disable the RSA, DSA, and ECDSA host keys
    Comment out the RSA, DSA, and ECDSA HostKey directives in the /etc/ssh/sshd_config file:

    sed -i 's/^HostKey \/etc\/ssh\/ssh_host_\(rsa\|dsa\|ecdsa\)_key$/\#HostKey \/etc\/ssh\/ssh_host_\1_key/g' /etc/ssh/sshd_config
  • Restrict supported key exchange, cipher, and MAC algorithms
    echo -e "\n# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms curve25519-sha256,[email protected],diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256\nCiphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr\nMACs [email protected],[email protected],[email protected]" >> /etc/ssh/sshd_config

Before started sshd 

Need to modify the file directly and comment out the first Cipher list and update it as required

# vi /etc/ssh/sshd_config

# service sshd restart

# Per CCE-CCE-27295-5: Set Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc in /etc/ssh/sshd_config

# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr

Restart OpenSSH server
systemctl restart sshd.service

NOTE also recommended to run  yum update

You can check ciphers currently used by your server with:

Before applying the step in the article:

Ciphers:

# sshd -T | grep ciphers | perl -pe 's/,/\n/g' | sort -u

/etc/ssh/sshd_config line 173: Deprecated option RhostsRSAAuthentication

3des-cbc

aes128-cbc

aes128-ctr

[email protected]

aes192-cbc

aes192-ctr

aes256-cbc

aes256-ctr

[email protected]

blowfish-cbc

cast128-cbc

ciphers [email protected]



mac:

sshd -T | grep mac | perl -pe 's/,/\n/g' | sort -u

/etc/ssh/sshd_config line 173: Deprecated option RhostsRSAAuthentication

hmac-sha1

[email protected]

hmac-sha2-256

[email protected]

hmac-sha2-512

[email protected]

macs [email protected]

[email protected]

[email protected]

[email protected]

 

kex:

bash-4.2# sshd -T | grep kex | perl -pe 's/,/\n/g' | sort -u

/etc/ssh/sshd_config line 173: Deprecated option RhostsRSAAuthentication

[email protected]

diffie-hellman-group14-sha1

diffie-hellman-group14-sha256

diffie-hellman-group16-sha512

diffie-hellman-group18-sha512

diffie-hellman-group1-sha1

diffie-hellman-group-exchange-sha1

diffie-hellman-group-exchange-sha256

ecdh-sha2-nistp256

ecdh-sha2-nistp384

ecdh-sha2-nistp521

gssapikexalgorithms gss-gex-sha1-

gss-group14-sha1-

gss-group1-sha1-

kexalgorithms curve25519-sha256

 

Results after applying the hardening article: /etc/ssh/sshd_config

# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com

# hardening guide.

KexAlgorithms curve25519-sha256,[email protected],diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256

Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr

MACs [email protected],[email protected],[email protected]

 

Cipher:

# sshd -T | grep ciphers | perl -pe 's/,/\n/g' | sort -u

/etc/ssh/sshd_config line 173: Deprecated option RhostsRSAAuthentication

aes128-ctr

[email protected]

aes192-ctr

aes256-ctr

[email protected]

ciphers [email protected]

 

mac:

# sshd -T | grep mac | perl -pe 's/,/\n/g' | sort -u

/etc/ssh/sshd_config line 173: Deprecated option RhostsRSAAuthentication

[email protected]

macs [email protected]

[email protected]

 

kex:

bash-4.2# sshd -T | grep kex | perl -pe 's/,/\n/g' | sort -u

/etc/ssh/sshd_config line 173: Deprecated option RhostsRSAAuthentication

[email protected]

diffie-hellman-group16-sha512

diffie-hellman-group18-sha512

diffie-hellman-group-exchange-sha256

gssapikexalgorithms gss-gex-sha1-

gss-group14-sha1-

gss-group1-sha1-

kexalgorithms curve25519-sha256



Additional Information

The article and test assume perl is installed

Perl is only used to put it in a fancy format, use these before and after implementing the hardening steps for centos 7

# sshd -T | grep kex

# sshd -T | grep mac

# sshd -T | grep cipher

The point is these commands shows schemes your client/server can support.

# ssh -Q kex

# ssh -Q cipher

# ssh -Q MAC

No matter what you change in the /etc/ssg/sshd_config the results so not change