NESSUS tool found below vulnerability in a Linux server.
70658 – SSH Server Weak and CBC Mode Ciphers Enabled
Synopsis
The SSH server is configured to use Cipher Block Chaining.
Description
The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to recover the plaintext message from the ciphertext.
Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software versions.
Solution
Disable SSH Server Weak and CBC Mode Ciphers in Linux
Follow the steps given below to disable ssh server weak and cbc mode ciphers in a Linux server.
- Edit the default list of MACs by editing the /etc/ssh/sshd_config file and remove the arcfour, arcfour128, arcfour25, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc and aes256-cbc ciphers from the list.
# vi /etc/ssh/sshd_config . . Ciphers aes128-ctr,aes192-ctr,aes256-ctr . . - Save the file and restart the ssh service using the below command.
# service sshd restart Stopping sshd: [ OK ] Starting sshd: [ OK ] - Once that was done and sshd was restarted, you can check the list of ciphers by using the below command:
# sshd -T |grep ciphers ciphers aes128-ctr,aes192-ctr,aes256-ctr - After disabling weak MACs if you try ssh using these ssh server weak and cbc mode ciphers, you will get the below message:
# ssh -oMACs=hmac-md5 <server> no matching cipher found: client aes128-cbc server aes128-ctr,aes192-ctr,aes256-ctr - Now, ssh server weak and cbc mode ciphers have been disabled in your Linux system.
Last Updated: July 15, 2021