Re: Disable weak Kex and Macs on R81.20

LostBoY · ‎2024-06-19

few vulnerabilites have been reported in my R81.20 cluster on AWS.. prominently i am looking to resolve weak kex and MaCs.

from GAIA i ran -> set ssh server kex ___ off & set ssh server mac ___ off for the reported ones however they were still getting detected.

Just to check I then ran

sshd -T -C addr=localhost | grep -i mac

and the output says i have hmac-1 enabled although i have disabled it via GAIA commands.( same goes for disabled weak kex)

I then tried to edit /etc/ssh/sshd_config file but it seems like in R81.20 it is read only.. i am not sure how to proceed on this.

Any help is appreciated.

PhoneBoy · ‎2024-06-20

There are clish commands you can execute to affect these settings.
https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Gaia_AdminGuide/Content/Topi...

See also: https://support.checkpoint.com/results/sk/sk172189

LostBoY

i had followed these acutally and i can see only the enabled ciphers when i run show ssh server mac/kex

However, hmac-sha1 is getting detected in the scan reports.. i then checked the sshd_config file in /etc/ssh where i used to do these changes during R80.10 but in R81.20 this file is un editable.. i am kind of stuck here and dont know how to resolve this.

PhoneBoy

sshd_config is generated from /etc/ssh/templates/sshd_config.templ
You can make the necessary changes there, regenerate the sshd_config, and restart sshd:

/bin/sshd_template_xlate < /config/active
service sshd restart

LostBoY

i get this error when i ran the following after modifying the templ file

/bin/sshd_template_xlate < /config/active

sshd_config parsing starting...cp: cannot create regular file '/etc/ssh/sshd_config': Permission denied

PhoneBoy

You may want to check if /etc/ssh/sshd_config is immutable or not.

Bob_Zimmerman

You can use lsattr to check the extended attributes of a file. This includes whether the file is immutable:

[Expert@DallasSA]# chattr +i /etc/ssh/sshd_config

[Expert@DallasSA]# lsattr /etc/ssh/sshd_config
----i----------- /etc/ssh/sshd_config

[Expert@DallasSA]# echo "" > /etc/ssh/sshd_config
-bash: /etc/ssh/sshd_config: Permission denied

[Expert@DallasSA]# chattr -i /etc/ssh/sshd_config

[Expert@DallasSA]# lsattr /etc/ssh/sshd_config
---------------- /etc/ssh/sshd_config

The 'i' flag here is the immutable attribute. When a file is immutable, even root isn't allowed to change or remove the file. The attribute must be removed first using 'chattr -i'.

the_rock

I edited that file in R81.20 many times, it definitely works. If you try to vi it, what does it show you?

Andy

Bob_Zimmerman

Just a note: hmac-sha1 is plenty secure for the next thousand years, probably longer. hmac-md5 is, too. Anybody who contends otherwise is confusing data integrity hashes with HMACs.

If you're sure this is something you want to do, you could always edit /etc/ssh/sshd_config directly and set the immutable attribute. Be sure you have non-SSH-based connectivity to the system, as you can't fix a broken sshd config using an sshd which refuses to start because the config is broken.

Are you a member of CheckMates?

Disable weak Kex and Macs on R81.20