SSH Weak Algorithms Supported,SSH Server CBC Mode Ciphers Enabled,SSH Weak MAC Algorithms Enabled

Nessus扫描漏洞编号:

90317 (1) - SSH Weak Algorithms Supported

70658 (1) - SSH Server CBC Mode Ciphers Enabled

71049 (1) - SSH Weak MAC Algorithms Enabled


SSH Weak Algorithms Supported:


The following weak server-to-client encryption algorithms are supported :
arcfour、arcfour128、arcfour256
The following weak client-to-server encryption algorithms are supported :
arcfour、arcfour128、arcfour256

SSH Server CBC Mode Ciphers Enabled:


The following client-to-server Cipher Block Chaining (CBC) algorithms
are supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc rijndael-cbc@lysator.liu.se

The following server-to-client Cipher Block Chaining (CBC) algorithms
are supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc rijndael-cbc@lysator.liu.se

SSH Weak MAC Algorithms Enabled:


The following client-to-server Message Authentication Code (MAC) algorithms
are supported :
hmac-md5 hmac-md5-96 hmac-sha1-96 hmac-sha2-256-96 hmac-sha2-512-96

The following server-to-client Message Authentication Code (MAC) algorithms
are supported :
hmac-md5 hmac-md5-96 hmac-sha1-96 hmac-sha2-256-96 hmac-sha2-512-96

 

修复方案:

禁用相关弱算法。

MACs

指定允许在SSH-2中使用哪些消息摘要算法来进行数据校验。 可以使用逗号分隔的列表来指定允许使用多个算法。默认值(包含所有可以使用的算法)是: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha1-96,hmac-md5-96

Ciphers
指定SSH-2允许使用的加密算法。多个算法之间使用逗号分隔。可以使用的算法如下:”aes128-cbc”, “aes192-cbc”, “aes256-cbc”, “aes128-ctr”, “aes192-ctr”, “aes256-ctr”,”3des-cbc”, “arcfour128”, “arcfour256”, “arcfour”, “blowfish-cbc”, “cast128-cbc”默认值是可以使用上述所有算法。

参考链接:

SSH安全优化:http://blog.csdn.net/bwlab/article/details/51249254

SSH各配置说明:http://www.bubuko.com/infodetail-968140.html

 

自查方法:

NESSUS漏洞,SSH_SCAN扫描,SSH -VVV 调试模式查看。

SSH_SCAN ssh_scan -t ip

ssh -vvv username@ip