Disable SSH Weak MAC Algorithms

July 9, 2021

NESSUS tool found below vulnerability on a server.

71049 – SSH Weak MAC Algorithms Enabled

 

Synopsis

The remote SSH server is configured to allow MD5 and 96-bit MAC algorithms.

 

Description

The remote SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak.

Note that this plugin only checks for the options of the SSH server, and it does not check for vulnerable software versions.

Solution

Disable SSH Weak MAC Algorithms: Follow the steps given below to disable ssh weak MAC algorithms on an HP-UX server.

  • Remove the default list of MACs by editing the /opt/ssh/etc/sshd_config file and keep the only hmac-sha1,umac-64@openssh.com,hmac-ripemd160 MACs. 
    # vi /opt/ssh/etc/sshd_config

.
.
MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160
.
.
  • Restart the ssh service using the below command. 
    # /sbin/init.d/secsh stop
HP-UX Secure Shell stopped
# /sbin/init.d/secsh start
HP-UX Secure Shell started
  • Once that was done and sshd was restarted, you can test for the issue like this: 
    # ssh -vv -oMACs=hmac-md5 <server>
  • After disabling weak MACs if you try ssh using these weak MACs, you will get the below message: 
    # ssh -oMACs=hmac-md5 <server>
no matching mac found: client hmac-md5 server hmac-sha1,umac-64@openssh.com,hmac-ripemd160
  • Now, weak MACs have been disabled on your HP-UX system.
Last Updated: July 09, 2021
Tags:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.