Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
LostBoY
Advisor

Disable weak Kex and Macs on R81.20

few vulnerabilites have been reported in my R81.20 cluster on AWS.. prominently i am looking to resolve weak kex and MaCs.

from GAIA i ran -> set ssh server kex ___ off & set ssh server mac ___ off for the reported ones however they were still getting detected.

Just to check I then ran

sshd -T -C addr=localhost | grep -i mac

and the output says i have hmac-1 enabled although i have disabled it via GAIA commands.( same goes for disabled weak kex)

I then tried to edit /etc/ssh/sshd_config file but it seems like in R81.20 it is read only.. i am not sure how to proceed on this.

 

Any help is appreciated.

0 Kudos
8 Replies
PhoneBoy
Admin
Admin

0 Kudos
LostBoY
Advisor

i had followed these acutally and i can see only the enabled ciphers when i run show ssh server mac/kex

However, hmac-sha1 is getting detected in the scan reports.. i then checked the sshd_config file in /etc/ssh where i used to do these changes during R80.10 but in R81.20 this file is un editable.. i am kind of stuck here and dont know how to resolve this.

0 Kudos
PhoneBoy
Admin
Admin

sshd_config is generated from /etc/ssh/templates/sshd_config.templ
You can make the necessary changes there, regenerate the sshd_config, and restart sshd:

  • /bin/sshd_template_xlate < /config/active
  • service sshd restart

 

0 Kudos
LostBoY
Advisor

i get this error when i ran the following after modifying the templ file 

  • /bin/sshd_template_xlate < /config/active

sshd_config parsing starting...cp: cannot create regular file '/etc/ssh/sshd_config': Permission denied

0 Kudos
PhoneBoy
Admin
Admin

You may want to check if /etc/ssh/sshd_config is immutable or not.

0 Kudos
Bob_Zimmerman
Authority
Authority

You can use lsattr to check the extended attributes of a file. This includes whether the file is immutable:

[Expert@DallasSA]# chattr +i /etc/ssh/sshd_config

[Expert@DallasSA]# lsattr /etc/ssh/sshd_config
----i----------- /etc/ssh/sshd_config

[Expert@DallasSA]# echo "" > /etc/ssh/sshd_config
-bash: /etc/ssh/sshd_config: Permission denied

[Expert@DallasSA]# chattr -i /etc/ssh/sshd_config

[Expert@DallasSA]# lsattr /etc/ssh/sshd_config
---------------- /etc/ssh/sshd_config

The 'i' flag here is the immutable attribute. When a file is immutable, even root isn't allowed to change or remove the file. The attribute must be removed first using 'chattr -i'.

0 Kudos
the_rock
Legend
Legend

I edited that file in R81.20 many times, it definitely works. If you try to vi it, what does it show you?

Andy

0 Kudos
Bob_Zimmerman
Authority
Authority

Just a note: hmac-sha1 is plenty secure for the next thousand years, probably longer. hmac-md5 is, too. Anybody who contends otherwise is confusing data integrity hashes with HMACs.

If you're sure this is something you want to do, you could always edit /etc/ssh/sshd_config directly and set the immutable attribute. Be sure you have non-SSH-based connectivity to the system, as you can't fix a broken sshd config using an sshd which refuses to start because the config is broken.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events