PCI Vulnerability - Logjam - SSH

SJR

• September 02, 2017 12:19

Recent PCI scan is failing due to: "The remote host allows SSH connections with one or more Diffie-Hellman moduli less than or equal to 1024 bits." Vulnerability: "The SSH server is vulnerable to the Logjam attack because : It supports diffie-hellman-group1-sha1 key exchange." Solution: "Reconfigure the service to use a unique Diffie-Hellman moduli of 2048 bits or greater." I need help on how to resolve this issue. I need to keep SSH access. Any thoughts? Thanks much.

• 

  rpvw

  • September 02, 2017 17:47

  See if this helps

  Hello, Here's a response from one of our technical analysts on a recent support ticket regarding this vulnerability: I would recommend, at a minimum, upgrading to Apache 2.4. It appears that by default, Apache 2.4.7 and above do not serve Diffie-Hellman parameters smaller than 2048 bits: mod_ssl - Apache HTTP Server Version 2.4 Additionally, you could also generate the custom Diffie-Hellman parameters and provide them directly to OpenSSL globally by adding the directive suggested by the Logjam site you linked to: SSLOpenSSLConfCmd DHParameters "{path to dhparams.pem}" in one of the Apache includes, which can be edited through WHM: Include Editor - Documentation - cPanel Documentation Thank you.

  
  

  0
• 

  SJR

  • September 02, 2017 18:53

  Thank you rpvw. I am currently using the latest version, apache 2.4.27 but I 'think' your suggestion controls SSL, not the SSH service.

  0
• 

  rpvw

  • September 02, 2017 19:12

  Not my suggestion - just what is in the thread entitled Logjam vulnerability

  0
• 

  cPanelMichael

  • September 06, 2017 15:49

  Hello, The following third-party URL should help: On OpenSSH and Logjam " Technology & Policy " Jethro Beekman Thank you.

  0

Please sign in to leave a comment.