02-15-2022 02:28 AM
Hello,
A penetration test revieled that ssh on expressways have CBC mode ciphers enabled and they asked to disable this.
Pen test result: "We have managed to identify that the SSH server running on the remote host is configured to support Cipher Block Chaining (CBC) encryption."
Pen test recommendation: "You should disable the CBC mode cipher encryption and enable CTR or GCM cipher mode encryption instead."
The CLI command "xconfiguration // cipher" shows
xConfiguration Ciphers sshd_ciphers Value: "aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr"
Is there any CLI command that could disable the proposal of aes256-cbc ciphers
Thank you very much,
02-15-2022 02:38 AM - edited 02-15-2022 02:44 AM
I think, it's possible to edit (add, delete) the ciphers via GUI.
I currently don't have access to an EXP to give you the correct page-path.
But be careful when editing them. There maybe some interop issues to other systems then. Good advice is to take a backup first or note down the changes.
02-15-2022 02:55 AM
Hi,
The ssh page regarding ciphers is completely different than the other protocols(https, sip etc).
As far as I can see there is no way to delete/disable ssh ciphers within gui.
Thanks.
02-15-2022 03:28 AM
But there is a different page for SSH configuration under "Maintenance" --> "Security" --> "SSH Configuration":
02-15-2022 03:42 AM
The 12.7.1 version has no "Remote Access Configuration"
What is your version?
Thank you.
02-15-2022 04:29 AM
I'm on a version X14.0.5
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide