SSH Server CBC Mode Ciphers Enabled漏洞修復

hellohf123發表於2021-08-10
Server

環境:Centos7.9

掃描軟體: Nessus


結果:


解決方法:

1.[root@cdb19 ssh]# vim /etc/ssh/sshd_config

原來是

# Ciphers and keying

#RekeyLimit default none


改為(新增後兩行)

# Ciphers and keying

#RekeyLimit default none

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour

Macs hmac-sha1,hmac-ripemd160


2.重啟sshd  

[root@cdb19 ssh]# systemctl restart sshd



驗證方法:

使用Nmap驗證

nmap --script ssh2-enum-algos -sV -p 22  目標IP


更改前:

[root@gacoratest001 ~]# nmap --script ssh2-enum-algos -sV -p 22 10.8.98.150


Starting Nmap 5.51 ( ) at 2021-08-10 11:55 CST

mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers

Nmap scan report for 10.8.98.150

Host is up (0.0010s latency).

PORT   STATE SERVICE VERSION

22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)

| ssh2-enum-algos: 

|   kex_algorithms (12)

|       curve25519-sha256

|       curve25519-sha256@libssh.org

|       ecdh-sha2-nistp256

|       ecdh-sha2-nistp384

|       ecdh-sha2-nistp521

|       diffie-hellman-group-exchange-sha256

|       diffie-hellman-group16-sha512

|       diffie-hellman-group18-sha512

|       diffie-hellman-group-exchange-sha1

|       diffie-hellman-group14-sha256

|       diffie-hellman-group14-sha1

|       diffie-hellman-group1-sha1

|   server_host_key_algorithms (5)

|       ssh-rsa

|       rsa-sha2-512

|       rsa-sha2-256

|       ecdsa-sha2-nistp256

|       ssh-ed25519

 encryption_algorithms (12)

|       chacha20-poly1305@openssh.com

|       aes128-ctr

|       aes192-ctr

|       aes256-ctr

|       aes128-gcm@openssh.com

|       aes256-gcm@openssh.com

|       aes128-cbc

|       aes192-cbc

|       aes256-cbc

|       blowfish-cbc

|       cast128-cbc

|       3des-cbc

|   mac_algorithms (10)

|       umac-64-etm@openssh.com

|       umac-128-etm@openssh.com

|       hmac-sha2-256-etm@openssh.com

|       hmac-sha2-512-etm@openssh.com

|       hmac-sha1-etm@openssh.com

|       umac-64@openssh.com

|       umac-128@openssh.com

|       hmac-sha2-256

|       hmac-sha2-512

|       hmac-sha1

|   compression_algorithms (2)

|       none

|_      zlib@openssh.com

MAC Address: 00:50:56:9D:BD:11 (VMware)


Service detection performed. Please report any incorrect results at /submit/ .

Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds



更改後

|   encryption_algorithms (6)

|       aes128-ctr

|       aes192-ctr

|       aes256-ctr

|       arcfour256

|       arcfour128

|       arcfour



來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/70004783/viewspace-2786159/,如需轉載,請註明出處,否則將追究法律責任。

相關文章