bear on 12 Sep 2017 21:44:11 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Removing ciphers from an old Open-SSH server


The Mozilla Security Wiki is a great resource to get both familiar with
what is involved and also to find a great vetted list of ciphers to use.

They have one Web Servers and also one for OpenSSH - while your OpenSSH
is very old, you should still find relevant information about it.

https://wiki.mozilla.org/Security/Guidelines/OpenSSH

On 9/12/17 08:47, Michael Leone wrote:
> I've got an old Red Hat 5.11 server (yes, I know, it should be
> upgraded), that's running OpenSSH 4.3 (based on open-ssl 0.9.8). A
> consultant penetration test came up with a number of issues; the ones
> related to this server deal mostly with the SSH service. Specifically,
> allowing "Arcfour algorithms" and "Cipher Block Chaining mode ciphers". 
> 
> However, all my searches seem to presume a much newer version of
> OpenSSH. I see a lot of pages on how to add any ciphers you want
> disallowed (such as:
> 
> https://developer.ibm.com/answers/questions/187318/faq-how-do-i-disable-cipher-block-chaining-cbc-mod.html
> 
> But my sshd-config doesn't have any such ciphers listed (even as
> comments). And as such, I don't know if that will work. And before I go
> messing around with a production server, I figured I would ask first.
> 
> Anybody done anything similar (disallowing ciphers, etc)? ideally with
> an old OpenSSh like mine?
> 
> What I really need to do is upgrade the whole server, but that's a
> project, and one I would need to research, so I don't screw it up. This
> server accepts SFTP uploads on my DMZ, and in turn, I have a script on a
> trusted LAN server that reaches into this server (using trusted keys),
> runs a script there; assembles all uploaded files, and copies them into
> the trusted LAN. (which this list helped me out hugely, a few years
> back, so thanks!) And I would need to make sure I don't mess that up.
> 
> Anyway, cipher disallowing thoughts?
> 
> 
> 
> ___________________________________________________________________________
> Philadelphia Linux Users Group         --        http://www.phillylinux.org
> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
> 


-- 

bear
xmpp agitator; ops curmudgeon; generalist
http://bear.im/about
http://bear.im/pubkey.txt
0A93 9BA7 8203 FCBC 58A9 E8B5 9D1E 0661 8EE5 B4D8
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug