Trustwave - Insecure ARCFOUR encryption

Serra

• September 21, 2016 09:43

I've got a new Trustwave wrinkle: Insecure ARCFOUR Encryption: arcfour, arfour128 and arcfour256 on port 22. and "SSH arcfour encryption algorithms supported" I checked /etc/ssh/ssh_config, but the ciphers are commented out. Where are the ciphers set for ssh? (they aren't in sshd_config either) Anyone using an approved cipher list?

• 

  cPanelMichael

  • October 04, 2016 20:20

  Hello, You should edit the /etc/ssh/sshd_config file to change the SSH configuration and use custom ciphers (Using the "Ciphers" line). Information on editing the /etc/ssh/sshd_config file is available at: What are the differences between the arcfour, arcfour128 and arcfour256 ciphers in OpenSSH? Thank you.

  0
• 

  Serra

  • October 05, 2016 11:43

  I already knew all that, my issue is that the ciphers line is currently commented out of the ssh config line. As such, I don't know what the current cipher suite is. This is problematic because uncommenting the line could do nothing or drastically change the ciphers in use. Doing nothing doesn't seem so bad, drastically changing the cipher suite could be a disaster that takes days or weeks of problems with clients to fix. So, is the cipher suite that is commented out the same as what is in use? What is in use? Is there a way to find out?

  0
• 

  cPanelMichael

  • October 05, 2016 14:25

  Hello, The lack of an entry indicates the default cipher list is utilized. You can use the following command to view the default list:
  man ssh_config
  Here's the entry for "Ciphers" from that output: Ciphers Specifies the ciphers allowed for protocol version 2 in order of preference. Multiple ciphers must be comma-separated. The sup? ported ciphers are: "3des-cbc", "aes128-cbc", "aes192-cbc", "aes256-cbc", "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com", "arcfour128", "arcfour256", "arcfour", "blowfish-cbc", "cast128-cbc", and "chacha20-poly1305@openssh.com". The default is: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, aes128-gcm@openssh.com,aes256-gcm@openssh.com, chacha20-poly1305@openssh.com, aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, aes256-cbc,arcfour The list of available ciphers may also be obtained using the -Q option of ssh(1).
  You would configure the new "Ciphers" line the default ciphers, separated by commas, adding/removing entries to achieve PCI compliance. We're currently exploring methods of ensuring SSH is PCI compliant by default in case CPANEL-7585. There's no time frame to offer at this time, but I'll update this thread with more information on the status of that case as it becomes available. Thank you.

  0
• 

  Serra

  • January 13, 2017 13:23

  Just for reference, the change for this to PCI Compliance on the SSH port is: In /etc/ssh/sshd_config add the following line: Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc This should leave only PCI complaint ciphers. Make sure you test this, restart sshd: service sshd restart Then attempt to log in while leaving your original SSH window open. If you can't login, undo the change and restart. If you log out, you may not be able to log back in if it doesn't work.

  0

Please sign in to leave a comment.