Brocade SAN Switch SSH Hardening- SSH Server CBC Mode Ciphers Enabled -SSH Server CBC Mode Ciphers Enabled

1
1409

information security department sent “SSH Server CBC Mode Ciphers Enabled” and “SSH Server CBC Mode Ciphers Enabled” issues on Brocade SAN Switch.How can I fix this?

Run below fix:

secCryptoCfg -show ==> current configuration
For example : I want to use below cipher and mac
secCryptoCfg –replace -type SSH -cipher aes128-ctr,aes192-ctr,aes256-ctr -mac hmac-sha1,umac-64@openssh.com,hmac-ripemd160

1 COMMENT

  1. HI,
    Please refer below
    1. Check the existing ssh configuration file
    >ls -la /etc/sshd_config
    2. backup ssh configuration file
    >cp -p /etc/sshd_config /etc/sshd_config_2019xxxx
    3. Check backup file
    >ls -la /etc/sshd_config_2019xxxx
    4. Check the contents of Ciphers
    >cat/etc/sshd_config
    5. Disable CBC Ciphers (without add CBC)
    >echo “Ciphers aes128-ctr, aes192-ctr, aes256-ctr, chacha20-poly1305@openssh.com, aes128-gcm@openssh.com, aes256-gcm@openssh.com” >> /etc/sshd_config
    6. Check the contents of Ciphers
    >cat /etc/sshd_config
    7. To display the configured algorithm, use the following command.
    >sansw:idser> seccryptocfg –show
    Sample output:
    HTTPS Cipher List : !ECDH:!DH:HIGH:-MD5:!CAMELLIA:!SRP:!PSK:!AESGCM
    SSH Cipher List : aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
    SSH Kex Algorithms List : ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
    SSH MACs List : hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha2-512″
    8. Configures the ciphers, and KEX and MAC algorithms(disable CBC)
    >secCryptoCfg –replace -type SSH -cipher aes128-ctr,aes192-ctr,aes256-ctr -kex ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1″ エラーが出ないこと

    9. Restart SANSW (if work remote SSH connection only, so need to enter command “reboot” is better instead of stop/start ssh services)
    >reboot

LEAVE A REPLY

Please enter your comment!
Please enter your name here