Anthony Martin on 12 Sep 2017 06:48:22 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Removing ciphers from an old Open-SSH server

I was just dealing with a similar issue. The Apache section on this page may be usefull for you. 
https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/

Anthony Martin

Linux System Administrator


On Tue, Sep 12, 2017 at 8:47 AM, Michael Leone <turgon@mike-leone.com> wrote:
I've got an old Red Hat 5.11 server (yes, I know, it should be upgraded), that's running OpenSSH 4.3 (based on open-ssl 0.9.8). A consultant penetration test came up with a number of issues; the ones related to this server deal mostly with the SSH service. Specifically, allowing "Arcfour algorithms" and "Cipher Block Chaining mode ciphers". 

However, all my searches seem to presume a much newer version of OpenSSH. I see a lot of pages on how to add any ciphers you want disallowed (such as:

https://developer.ibm.com/answers/questions/187318/faq-how-do-i-disable-cipher-block-chaining-cbc-mod.html

But my sshd-config doesn't have any such ciphers listed (even as comments). And as such, I don't know if that will work. And before I go messing around with a production server, I figured I would ask first.

Anybody done anything similar (disallowing ciphers, etc)? ideally with an old OpenSSh like mine?

What I really need to do is upgrade the whole server, but that's a project, and one I would need to research, so I don't screw it up. This server accepts SFTP uploads on my DMZ, and in turn, I have a script on a trusted LAN server that reaches into this server (using trusted keys), runs a script there; assembles all uploaded files, and copies them into the trusted LAN. (which this list helped me out hugely, a few years back, so thanks!) And I would need to make sure I don't mess that up.

Anyway, cipher disallowing thoughts?


___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug


___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug