PCI Fails SSH weak hashing and key exchange

ehask71

• August 01, 2018 09:55

So one of my customers PCI scans is failing from Trustwave for these 2: Weak SSH Hashing Algorithms Weak SSH Key Exchange None of my other Domains on that server are failing Controlscan PCI scans. The best part is the description "This vulnerability is not recognized by the national vulnerability database". I have tried disputing but they aren't budging. How do I update the Hashing and Exchange Algo's ..... I messed with it a bit before posting here and all I did was kill ssh lol

• 

  cPanelMichael

  • August 01, 2018 17:07

  Hello Eric, The following thread includes some examples of cipher and protocol settings utilized by another user for the purpose of passing Trustwave PCI compliance tests: Can you let me know if that helps? If not, could you ask Trustwave to provide more specific information about why the server is not passing? Thank you.

  0
• 

  ehask71

  • August 01, 2018 19:59

  I launched a new scan for that customer Just got a fail from a different provider same server lol. Some of this stuff is just ridiculous now 2083,2087,2096 are considered LLL backdoors...... they really dont want us using CPANEL 53749

  0
• 

  cPanelMichael

  • August 02, 2018 15:14

  Some of this stuff is just ridiculous now 2083,2087,2096 are considered LLL backdoors...... they really dont want us using CPANEL

  
  Hello, Here's a thread that may help to address that specific report: If not, can you ask the PCI provider for more specific details about why those ports are failing? It's possible it's a false positive. Thank you.

  0
• 

  ehask71

  • August 02, 2018 15:16

  Its not Sweet32 its that they detected SSL ports other than 443 ....... SWEET32 was corrected a long time ago on my servers

  0
• 

  ehask71

  • August 02, 2018 15:20

  Here is the fix for the original post add this to the /etc/ssh/sshd_config KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
  After this you may need to update putty or winscp

  0

Please sign in to leave a comment.