https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-weak-algorithm-supported/m-p/109693#M14969 <P>Hi,</P> <P>&nbsp;</P> <P>Its right in the sk itself:</P> <P>&nbsp;</P> <OL> <LI>Add the following 2 lines to the<SPAN>&nbsp;</SPAN><EM>/etc/ssh/ssh_config</EM><SPAN>&nbsp;</SPAN>and<SPAN>&nbsp;</SPAN><EM>/etc/ssh/sshd_config</EM><SPAN>&nbsp;</SPAN>files:<BR /> <P><EM>Ciphers&nbsp;aes128-ctr,aes192-ctr,aes256-ctr</EM></P> <P><EM>MACs hmac-sha1<BR /><BR /></EM><STRONG>Important:</STRONG>&nbsp;There should be<SPAN>&nbsp;</SPAN><STRONG>no</STRONG>&nbsp;spaces between ciphers/MACs and commas.&nbsp;</P> </LI> <LI>Remove previous "Ciphers/MACs" lines if they currently exist in the above files.<BR /><BR /></LI> <LI>Restart the SSH server using the&nbsp;<EM>service sshd restart</EM>&nbsp;command.</LI> </OL> Wed, 03 Feb 2021 14:36:33 GMT the_rock 2021-02-03T14:36:33Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-weak-algorithm-supported/m-p/109288#M14818 <P>a Vulnerability "SSH weak Algorithms supported" has been reported in R80.10 Gateways.. What is the procedure to resolve this vulnerability ?</P><P>are some modifications required in sshd conf file for this ?</P><P>Thanks</P> Fri, 29 Jan 2021 12:55:03 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-weak-algorithm-supported/m-p/109288#M14818 LostBoY 2021-01-29T12:55:03Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-weak-algorithm-supported/m-p/109290#M14820 <P>Start with reviewing&nbsp;<SPAN>sk106031 depending on the specific finding.</SPAN></P> Fri, 29 Jan 2021 13:42:22 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-weak-algorithm-supported/m-p/109290#M14820 Chris_Atkinson 2021-01-29T13:42:22Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-weak-algorithm-supported/m-p/109304#M14823 <P>You can adjust some of the algorithms offered by modifying the sshd configuration.<BR />However, the version of OpenSSH we use prior to R80.40 is old and does not offer some of the currently recommended algorithms.<BR />Given that R80.10 is End of Support in a few months, it’s highly recommended you upgrade.<BR /><BR /></P> Fri, 29 Jan 2021 17:16:50 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-weak-algorithm-supported/m-p/109304#M14823 PhoneBoy 2021-01-29T17:16:50Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-weak-algorithm-supported/m-p/109691#M14967 <P>Yes ..we have an upgrade planned in March for this.</P><P>Can you please point out the config i need to modify in sshd file</P> Wed, 03 Feb 2021 14:28:07 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-weak-algorithm-supported/m-p/109691#M14967 LostBoY 2021-02-03T14:28:07Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-weak-algorithm-supported/m-p/109693#M14969 <P>Hi,</P> <P>&nbsp;</P> <P>Its right in the sk itself:</P> <P>&nbsp;</P> <OL> <LI>Add the following 2 lines to the<SPAN>&nbsp;</SPAN><EM>/etc/ssh/ssh_config</EM><SPAN>&nbsp;</SPAN>and<SPAN>&nbsp;</SPAN><EM>/etc/ssh/sshd_config</EM><SPAN>&nbsp;</SPAN>files:<BR /> <P><EM>Ciphers&nbsp;aes128-ctr,aes192-ctr,aes256-ctr</EM></P> <P><EM>MACs hmac-sha1<BR /><BR /></EM><STRONG>Important:</STRONG>&nbsp;There should be<SPAN>&nbsp;</SPAN><STRONG>no</STRONG>&nbsp;spaces between ciphers/MACs and commas.&nbsp;</P> </LI> <LI>Remove previous "Ciphers/MACs" lines if they currently exist in the above files.<BR /><BR /></LI> <LI>Restart the SSH server using the&nbsp;<EM>service sshd restart</EM>&nbsp;command.</LI> </OL> Wed, 03 Feb 2021 14:36:33 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-weak-algorithm-supported/m-p/109693#M14969 the_rock 2021-02-03T14:36:33Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-weak-algorithm-supported/m-p/109700#M14970 <P>Thanks for the reply..</P><P>&nbsp;</P><P>i was looking in the sshd and ssh config files but i dont see any enabled CIPHERS there.</P><P>in the ssh config there is a line ciphers aes-.. blowfish.. and so on but it is hashed out .. this line is not present in sshd config file.</P><P>So i am a bit confused here.. why the vulnerability is being detected if it is hashed out ? or does no entry in the file related to default ciphers ?</P> Wed, 03 Feb 2021 14:54:57 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-weak-algorithm-supported/m-p/109700#M14970 LostBoY 2021-02-03T14:54:57Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-weak-algorithm-supported/m-p/109701#M14971 <P>Send me the file privately and I can compare it to one from fresh gateway.</P> <P>Andy</P> Wed, 03 Feb 2021 14:56:31 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-weak-algorithm-supported/m-p/109701#M14971 the_rock 2021-02-03T14:56:31Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-weak-algorithm-supported/m-p/109702#M14972 <P>The OpenBSD developers (and OpenSSH is an OpenBSD project) include default values for most configurable items. These default values don't need anything in the config file to work, but they include them in the config file anyway as a valid config line which would result in the same behavior as the default, commented out.</P> <P>You can either remove the "# " at the start of the line and edit it to your requirements (the defaults for a given OpenSSH version are easy enough to find online), or you can add a new line in the file meeting your requirements.</P> Wed, 03 Feb 2021 15:10:49 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-weak-algorithm-supported/m-p/109702#M14972 Bob_Zimmerman 2021-02-03T15:10:49Z