topic Re: Disable weak Kex and Macs on R81.20 in General Topics

Disable weak Kex and Macs on R81.20

LostBoY — Wed, 19 Jun 2024 14:58:49 GMT

few vulnerabilites have been reported in my R81.20 cluster on AWS.. prominently i am looking to resolve weak kex and MaCs.

from GAIA i ran -> set ssh server kex ___ off & set ssh server mac ___ off for the reported ones however they were still getting detected.

Just to check I then ran

sshd -T -C addr=localhost | grep -i mac

and the output says i have hmac-1 enabled although i have disabled it via GAIA commands.( same goes for disabled weak kex)

I then tried to edit /etc/ssh/sshd_config file but it seems like in R81.20 it is read only.. i am not sure how to proceed on this.

Any help is appreciated.

Re: Disable weak Kex and Macs on R81.20

PhoneBoy — Thu, 20 Jun 2024 18:07:22 GMT

There are clish commands you can execute to affect these settings.
https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Gaia_AdminGuide/Content/Topics-GAG/Advanced-Gaia-Configuration.htm

Re: Disable weak Kex and Macs on R81.20

LostBoY — Thu, 04 Jul 2024 12:08:57 GMT

i had followed these acutally and i can see only the enabled ciphers when i run show ssh server mac/kex

However, hmac-sha1 is getting detected in the scan reports.. i then checked the sshd_config file in /etc/ssh where i used to do these changes during R80.10 but in R81.20 this file is un editable.. i am kind of stuck here and dont know how to resolve this.

Re: Disable weak Kex and Macs on R81.20

PhoneBoy — Mon, 08 Jul 2024 14:27:22 GMT

sshd_config is generated from /etc/ssh/templates/sshd_config.templ
You can make the necessary changes there, regenerate the sshd_config, and restart sshd:

/bin/sshd_template_xlate < /config/active
service sshd restart

Re: Disable weak Kex and Macs on R81.20

the_rock — Mon, 08 Jul 2024 14:40:44 GMT

I edited that file in R81.20 many times, it definitely works. If you try to vi it, what does it show you?

Andy

Re: Disable weak Kex and Macs on R81.20

LostBoY — Wed, 10 Jul 2024 13:00:42 GMT

i get this error when i ran the following after modifying the templ file

/bin/sshd_template_xlate < /config/active

sshd_config parsing starting...cp: cannot create regular file '/etc/ssh/sshd_config': Permission denied

Re: Disable weak Kex and Macs on R81.20

Bob_Zimmerman — Wed, 10 Jul 2024 13:38:38 GMT

Just a note: hmac-sha1 is plenty secure for the next thousand years, probably longer. hmac-md5 is, too. Anybody who contends otherwise is confusing data integrity hashes with HMACs.

If you're sure this is something you want to do, you could always edit /etc/ssh/sshd_config directly and set the immutable attribute. Be sure you have non-SSH-based connectivity to the system, as you can't fix a broken sshd config using an sshd which refuses to start because the config is broken.

Re: Disable weak Kex and Macs on R81.20

PhoneBoy — Wed, 10 Jul 2024 21:36:08 GMT

You may want to check if /etc/ssh/sshd_config is immutable or not.

Re: Disable weak Kex and Macs on R81.20

Bob_Zimmerman — Thu, 11 Jul 2024 13:45:52 GMT

You can use lsattr to check the extended attributes of a file. This includes whether the file is immutable:

[Expert@DallasSA]# chattr +i /etc/ssh/sshd_config [Expert@DallasSA]# lsattr /etc/ssh/sshd_config ----i----------- /etc/ssh/sshd_config [Expert@DallasSA]# echo "" > /etc/ssh/sshd_config -bash: /etc/ssh/sshd_config: Permission denied [Expert@DallasSA]# chattr -i /etc/ssh/sshd_config [Expert@DallasSA]# lsattr /etc/ssh/sshd_config ---------------- /etc/ssh/sshd_config

The 'i' flag here is the immutable attribute. When a file is immutable, even root isn't allowed to change or remove the file. The attribute must be removed first using 'chattr -i'.