Below is steps to restrict SSH server (port 22) to only accept strong Ciphers:
- Login to your MX or GW via SSH with admin account
- Switch to root user with command: #admin
- Back up your SSH Server configuration file with command: #cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
- Edit SSH server configuration file with command: #vi /etc/ssh/sshd_config
- Navigate to the bottom of the sshd_config file and modify the content:
From
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
To
#Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
- Save the file by pressing Ecs one time -> type :wq -> Enter
- Restart SSH service with command: #sshd service restart
- Upon successful service restart, you should see the following message:
- Done
------------------------------
Stefan Sia (csp)
Customer Support Specialist
------------------------------
Original Message:
Sent: 02-24-2021 10:17
From: Victor Pinzon
Subject: Vulnerability SSH server (MX and GW)
Hello everyone.
The "SSH Server CBC Mode Ciphers Enabled (CVE-2008-5161)" vulnerability was recently discovered in MX and GW DAM appliances version 13.3.21.
The solution that pentesting gave me was: "disable CBC mode
cipher encryption, and enable CTR or GCM cipher mode encryption. "
Does anyone know how this can be solved?
Br.
Victor Pinzon
#DatabaseActivityMonitoring
#On-PremisesWAF(formerlySecuresphere)
------------------------------
Victor Pinzon
Ingeniero de soporte
Bogotá
------------------------------