NESSUS tool found below vulnerability on a server.
71049 – SSH Weak MAC Algorithms Enabled
Synopsis
The remote SSH server is configured to allow MD5 and 96-bit MAC algorithms.
Description
The remote SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak.
Note that this plugin only checks for the options of the SSH server, and it does not check for vulnerable software versions.
Solution
Disable SSH Weak MAC Algorithms: Follow the steps given below to disable ssh weak MAC algorithms on an HP-UX server.
- Remove the default list of MACs by editing the /opt/ssh/etc/sshd_config file and keep the only hmac-sha1,umac-64@openssh.com,hmac-ripemd160 MACs.
# vi /opt/ssh/etc/sshd_config . . MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160 . .
- Restart the ssh service using the below command.
# /sbin/init.d/secsh stop HP-UX Secure Shell stopped # /sbin/init.d/secsh start HP-UX Secure Shell started
- Once that was done and sshd was restarted, you can test for the issue like this:
# ssh -vv -oMACs=hmac-md5 <server>
- After disabling weak MACs if you try ssh using these weak MACs, you will get the below message:
# ssh -oMACs=hmac-md5 <server> no matching mac found: client hmac-md5 server hmac-sha1,umac-64@openssh.com,hmac-ripemd160
- Now, weak MACs have been disabled on your HP-UX system.
Last Updated: July 09, 2021