Hot!Disable SSH Weak Ciphers

Author
rabubakar
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/09/20 10:21:48
  • Status: offline
2017/09/25 01:37:11 (permalink)
0

Disable SSH Weak Ciphers

We are using FortiGate and we noticed that the SSH server is configured to use the weak encryption algorithms (arcfour, arcfour128 & arcfour256, cbc) and mac algorithms (hmac-sha1 and hmac-md5).
 
My question is:
 
How to disable CBC mode ciphers and use CTR mode ciphers?
How to disable 96-bit HMAC Algorithms?
How to disable MD5-based HMAC Algorithms?
 
Thanks.
#1

8 Replies Related Threads

    emnoc
    Expert Member
    • Total Posts : 5139
    • Scores: 332
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Disable SSH Weak Ciphers 2017/09/25 07:23:45 (permalink)
    0
    Try the config sys global cli command
     
    e.g
     
    config sys global
        set ssh-cbc-cipher disable
        set ssh-hmac-md5 disable
    end


     
    Now run ssh client with -v option
     
     
    ( before  the change )
    debug1: kex: server->client aes128-ctr hmac-md5 none
    debug1: kex: client->server aes128-ctr hmac-md5 none
     
     
    ( now after )
     
    debug1: kex: server->client aes128-ctr hmac-sha1 none
    debug1: kex: client->server aes128-ctr hmac-sha1 none
     
    You can scroll thru all  cipher that the client support and see what is or is not accepted. Check out my post from a few years back on ssh tips
     
    http://socpuppet.blogspot.com/2013/04/ssh-and-ciphers-tipstricks.html
     
     e.g  ( build a file with all ciphers to check chain-blocks are disable   )
     
    CEHacker:~ kfelix$ for p  in ` cat ciphers ` ; do  ssh -c $p 11.11.1.6 ; done
    no matching cipher found: client 3des-cbc server arcfour,aes128-ctr,aes192-ctr,aes256-ctr
    no matching cipher found: client aes128-cbc server arcfour,aes128-ctr,aes192-ctr,aes256-ctr
    no matching cipher found: client aes192-cbc server arcfour,aes128-ctr,aes192-ctr,aes256-ctr
    no matching cipher found: client aes256-cbc server arcfour,aes128-ctr,aes192-ctr,aes256-ctr
    kfelix@11.11.1.6 password:


    I hope that helps
     
     
    Ken
     
    post edited by emnoc - 2017/09/25 07:30:30

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #2
    rabubakar
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/09/20 10:21:48
    • Status: offline
    Re: Disable SSH Weak Ciphers 2017/09/27 04:14:04 (permalink)
    0
    Hi,
     
    Thanks for your feedback. However, the commands are not available in the CLI. 
    Firmware: v5.6.0 build1449 (GA)
    #3
    tanr
    Platinum Member
    • Total Posts : 650
    • Scores: 25
    • Reward points: 0
    • Joined: 2016/05/09 17:09:43
    • Status: offline
    Re: Disable SSH Weak Ciphers 2017/09/27 06:44:24 (permalink)
    0
    Does 5.6 still have:
     
    config sys global
      set strong-crypto enable
     
    #4
    emnoc
    Expert Member
    • Total Posts : 5139
    • Scores: 332
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Disable SSH Weak Ciphers 2017/09/27 08:52:18 (permalink)
    0

    Thanks for your feedback. However, the commands are not available in the CLI

     
    show full sys global | grep ssh

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #5
    rabubakar
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/09/20 10:21:48
    • Status: offline
    Re: Disable SSH Weak Ciphers 2017/09/27 22:04:12 (permalink)
    0
    emnoc

    Thanks for your feedback. However, the commands are not available in the CLI

     
    show full sys global | grep ssh


     
    # show full sys global | grep ssh
    set admin-ssh-grace-time 120
    set admin-ssh-password enable
    set admin-ssh-port 22
    set admin-ssh-v1 disable
    #6
    sandeepsutar
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/12/13 16:09:33
    • Status: offline
    Re: Disable SSH Weak Ciphers 2017/09/27 23:13:35 (permalink)
    0
    Hi,

    Did you manage to resolve the issue?

    With FortiOS 5.6.0 (build 1449) and strong crypto enabled, our security audit too resulted in "SSH Weak MAC Algorithms Enabled" on firewalls.
    As per the nessus scan, hmac-sha1-96 is still enabled on SSH and we need to disable them.
    I tried but couldn't find a way to disable it.

    Please share your inputs.
    #7
    fl0at0xff
    Bronze Member
    • Total Posts : 39
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/08/23 00:13:56
    • Status: offline
    Re: Disable SSH Weak Ciphers 2019/03/18 01:08:15 (permalink)
    0
    Hello. I have the same problem. I running 5.6.x and strong crypto is enabled admin-ssh-v1 disable but a lot of weak crypto are still present. I opened a ticket to the support.
     
    I think you can set to "disable" the global setting "ssh-kex-sha1" to prevent using SHA-1 in the process of Keys exchange.
    post edited by fl0at0xff - 2019/03/18 01:11:53
    #8
    Ivanr4g63
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/03/27 10:42:56
    • Status: offline
    Re: Disable SSH Weak Ciphers 2019/04/19 06:25:11 (permalink)
    0
    fl0at0xff
    Hello. I have the same problem. I running 5.6.x and strong crypto is enabled admin-ssh-v1 disable but a lot of weak crypto are still present. I opened a ticket to the support.
     
    I think you can set to "disable" the global setting "ssh-kex-sha1" to prevent using SHA-1 in the process of Keys exchange.


    Hello - were you able to resolve?
    I have the same issue on our 320c FortiAPs - Our wireless controller being the Fortigate 900D with 6.0.4 Firmware.
    I've tried disabling all noted above with no luck, we're still getting same "SSH Weak MAC Algorithms Enabled" with Nessus. 

     
    Any pointers greatly appreciated!
    post edited by Ivanr4g63 - 2019/04/19 06:43:41
    #9
    Jump to:
    © 2019 APG vNext Commercial Version 5.5