topic Modifying SSH cipher on FTD by editing "/etc/ssh/sshd_config" in Network Security

Modifying SSH cipher on FTD by editing "/etc/ssh/sshd_config"

Grizzelz — Thu, 15 Sep 2022 10:38:25 GMT

Hello Team,

I have been through lots of Cisco FTD Docs and cannot find the answer, trying not to raise a TAC case for this if it can be avoided.

Does anyone know if you can modify the SSH cipher on FTD by editing "/etc/ssh/sshd_config" on Cisco FTD 2100?

I found that the below Customer is on 6.6.1, not on the affected list, but as you can see no work around.

https://bst.cisco.com/bugsearch/bug/CSCvr20579

Our of the 8 FTD Devices the customer has only 3 flagged with this issue on a pentest.

Re: Modifying SSH cipher on FTD by editing "/etc/ssh/sshd_config&

Mark Elsen — Thu, 15 Sep 2022 11:32:22 GMT

- At all times you can 'evaluate' modifications to "/etc/ssh/sshd_config" with

% nmap --script ssh2-enum-algos yourdevice

Re: Modifying SSH cipher on FTD by editing "/etc/ssh/sshd_config&

Grizzelz — Thu, 15 Sep 2022 11:42:11 GMT

Hello Marce,

Thank you for this, I take it you mean to run this command from expert within the FTD.

Do you have any Cisco Documentation on this.

Re: Modifying SSH cipher on FTD by editing "/etc/ssh/sshd_config&

Mark Elsen — Thu, 15 Sep 2022 12:10:06 GMT

- No ,from an outside system which has nmap installed , linux systems have this native , you can also install it on windows : https://nmap.org/download

Re: Modifying SSH cipher on FTD by editing "/etc/ssh/sshd_config&

Grizzelz — Thu, 15 Sep 2022 12:17:58 GMT

Hi Marce,

Sorry never done this before, so you are saying use NMAP to connect to the FTD and it can be disabled this way correct ?

Sorry if am not following.

Re: Modifying SSH cipher on FTD by editing "/etc/ssh/sshd_config&

Mark Elsen — Thu, 15 Sep 2022 13:07:11 GMT

- The idea is to just launch this command from a remote system, on a Linux box you could just paste the given command. Nmap will then probe the ssh server on the FTD and return the available ciphers. That way it can be established if modifying the sshd config file will list different available ciphers (nmap output) or not.

Re: Modifying SSH cipher on FTD by editing "/etc/ssh/sshd_config&

Grizzelz — Thu, 15 Sep 2022 13:19:58 GMT

Hi Marce,

That is good to know, but what if I want to change the actual file, how would I do that?

Kind Regards

Re: Modifying SSH cipher on FTD by editing "/etc/ssh/sshd_config&

Mark Elsen — Thu, 15 Sep 2022 17:23:03 GMT

- Probably ( I am not familiar with FTD myself) , you need to be in expert mode and then for instance sudo vi /etc/ssh/sshd_config , you will be prompted for a password , this is the same as the admin password.(To go into the expert mode you type "expert" from the CLISH (FTD CLI))

Re: Modifying SSH cipher on FTD by editing "/etc/ssh/sshd_config&

Grizzelz — Fri, 16 Sep 2022 11:52:50 GMT

From Cisco TAC

Instructions to execute via CLI and remove the weak ciphers:

Connect from FXOS, to FTD

connect ftd, enter expert mode;

> expert

Change to root:

sudo -i

To see existing ciphers,

cat /etc/ssh/sshd_config | grep -e Ciphers -e MAC -e Kex

Make a copy of the original SSH daemon configuration file:

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.orig

Execute the following command to remove the CBC ciphers from the SSH daemon configuration:

- vim /etc/ssh/sshd_config

- "i" to edit

- remove aes128-cbc,aes192-cbc,aes256-cbc, 3des-cbc from list of ciphers --> wq!

Restart the SSH daemon:

/etc/init.d/sshd restart

Note: SSH connection may be down while restarts. Later you can run a new vulnerability scan to confirm results.