information security department sent “SSH Server CBC Mode Ciphers Enabled” and “SSH Server CBC Mode Ciphers Enabled” issues on Brocade SAN Switch.How can I fix this?
Run below fix:
secCryptoCfg -show ==> current configuration
For example : I want to use below cipher and mac
secCryptoCfg –replace -type SSH -cipher aes128-ctr,aes192-ctr,aes256-ctr -mac hmac-sha1,umac-64@openssh.com,hmac-ripemd160
HI,
Please refer below
1. Check the existing ssh configuration file
>ls -la /etc/sshd_config
2. backup ssh configuration file
>cp -p /etc/sshd_config /etc/sshd_config_2019xxxx
3. Check backup file
>ls -la /etc/sshd_config_2019xxxx
4. Check the contents of Ciphers
>cat/etc/sshd_config
5. Disable CBC Ciphers (without add CBC)
>echo “Ciphers aes128-ctr, aes192-ctr, aes256-ctr, chacha20-poly1305@openssh.com, aes128-gcm@openssh.com, aes256-gcm@openssh.com” >> /etc/sshd_config
6. Check the contents of Ciphers
>cat /etc/sshd_config
7. To display the configured algorithm, use the following command.
>sansw:idser> seccryptocfg –show
Sample output:
HTTPS Cipher List : !ECDH:!DH:HIGH:-MD5:!CAMELLIA:!SRP:!PSK:!AESGCM
SSH Cipher List : aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
SSH Kex Algorithms List : ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
SSH MACs List : hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha2-512″
8. Configures the ciphers, and KEX and MAC algorithms(disable CBC)
>secCryptoCfg –replace -type SSH -cipher aes128-ctr,aes192-ctr,aes256-ctr -kex ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1″ エラーが出ないこと
9. Restart SANSW (if work remote SSH connection only, so need to enter command “reboot” is better instead of stop/start ssh services)
>reboot