| bear on 12 Sep 2017 21:44:11 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] Removing ciphers from an old Open-SSH server |
The Mozilla Security Wiki is a great resource to get both familiar with what is involved and also to find a great vetted list of ciphers to use. They have one Web Servers and also one for OpenSSH - while your OpenSSH is very old, you should still find relevant information about it. https://wiki.mozilla.org/Security/Guidelines/OpenSSH On 9/12/17 08:47, Michael Leone wrote: > I've got an old Red Hat 5.11 server (yes, I know, it should be > upgraded), that's running OpenSSH 4.3 (based on open-ssl 0.9.8). A > consultant penetration test came up with a number of issues; the ones > related to this server deal mostly with the SSH service. Specifically, > allowing "Arcfour algorithms" and "Cipher Block Chaining mode ciphers". > > However, all my searches seem to presume a much newer version of > OpenSSH. I see a lot of pages on how to add any ciphers you want > disallowed (such as: > > https://developer.ibm.com/answers/questions/187318/faq-how-do-i-disable-cipher-block-chaining-cbc-mod.html > > But my sshd-config doesn't have any such ciphers listed (even as > comments). And as such, I don't know if that will work. And before I go > messing around with a production server, I figured I would ask first. > > Anybody done anything similar (disallowing ciphers, etc)? ideally with > an old OpenSSh like mine? > > What I really need to do is upgrade the whole server, but that's a > project, and one I would need to research, so I don't screw it up. This > server accepts SFTP uploads on my DMZ, and in turn, I have a script on a > trusted LAN server that reaches into this server (using trusted keys), > runs a script there; assembles all uploaded files, and copies them into > the trusted LAN. (which this list helped me out hugely, a few years > back, so thanks!) And I would need to make sure I don't mess that up. > > Anyway, cipher disallowing thoughts? > > > > ___________________________________________________________________________ > Philadelphia Linux Users Group -- http://www.phillylinux.org > Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce > General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug > -- bear xmpp agitator; ops curmudgeon; generalist http://bear.im/about http://bear.im/pubkey.txt 0A93 9BA7 8203 FCBC 58A9 E8B5 9D1E 0661 8EE5 B4D8 ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug