This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
May_Kyaw
Explorer
‎2023-02-01 07:21 AM
Jump to solution

Disable ssh weak ciphers for CheckPoint Smart-1 410

Hello,

  

I would like to know that can I disable support for weak ciphers (Arcfour and Cipher Block Chaining (CBC) cipher suites) and want to implement  support of strong ciphers (Counter (CTR)). 

Can I know the steps.?

0 Kudos
1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion
‎2023-02-01 09:36 AM
Jump to solution

Starting from R80.40 you can change that by editing sshd_config content by changing the default SSH encryption method used. To change the default SSH encryption method used, do the following and edit the chiper in the /etc/ssh/templates/sshd_config.templ file.

For example, to set the default encryption method:

Ciphers aes256-ctr,aes128-ctr,...

Restart the SSH server using the "service sshd restart" command.

Version R81.10+ introduces these commands to change the configuration with Clish:

  • set ssh server cipher VALUE off
  • set ssh server cipher VALUE on
  • set ssh server mac VALUE off
  • set ssh server mac VALUE on
  • show ssh server cipher enabled
  • show ssh server cipher supported
  • show ssh server mac enabled
  • show ssh server mac supported
➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

5 Replies
HeikoAnkenbrand
Champion Champion
Champion
‎2023-02-01 09:36 AM
Jump to solution

Starting from R80.40 you can change that by editing sshd_config content by changing the default SSH encryption method used. To change the default SSH encryption method used, do the following and edit the chiper in the /etc/ssh/templates/sshd_config.templ file.

For example, to set the default encryption method:

Ciphers aes256-ctr,aes128-ctr,...

Restart the SSH server using the "service sshd restart" command.

Version R81.10+ introduces these commands to change the configuration with Clish:

  • set ssh server cipher VALUE off
  • set ssh server cipher VALUE on
  • set ssh server mac VALUE off
  • set ssh server mac VALUE on
  • show ssh server cipher enabled
  • show ssh server cipher supported
  • show ssh server mac enabled
  • show ssh server mac supported
➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
PhoneBoy
Admin
Admin
‎2023-02-01 09:50 AM
In response to HeikoAnkenbrand
Jump to solution

From R80.40 JHF 83 through R81, the correct approach is to edit /etc/ssh/templates/sshd_config.templ instead of /etc/ssh/sshd_config 

HeikoAnkenbrand
Champion Champion
Champion
‎2023-02-01 02:42 PM
In response to PhoneBoy
Jump to solution

THX @PhoneBoy,

I forgot the red area in the path/file:
/etc/ssh/templates/sshd_config.templ

I have changed it above.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
May_Kyaw
Explorer
‎2023-02-01 06:14 PM
In response to HeikoAnkenbrand
Jump to solution

Thanks so much. I will try this.

0 Kudos
Upcoming Events

    Sort by:
    CheckMates Events