05-25-2005 09:17 AM - edited 03-10-2019 01:28 AM
I recently had a vulnerability scan completed and "SSH protocol versions supported" showed up in it for my IDS. Has anyone come across this and if so, how am I able to mitigate it. Is there a way to change the SSH version on the device?
05-26-2005 10:11 AM
Looks like the sensor allows incoming protocols 1 and 2. See /etc/ssh/sshd_config on the sensor.
You can probably change it to only allow SSH protocol 2, but I don't know for sure if that will have other ramifications.
05-26-2005 11:35 AM
Is there a way to find out before I go and make any changed. This is a requirement to comply with a vulnerability assessment that was done on my network. Any information would be great on if it can be changed and if not just a reason why so that I can submit that.
Thanks,
05-26-2005 01:13 PM
What vulnerability is being asserted in the OpenSSH implementation of SSH protocol version 1?
I have not seen a new problem discovered in more than three years in the SSH protocol version 1. OpenSSH-3.7.1p2 contains all the fixes for all vulnerabilities that I am aware.
When a vulnerability assessment recommends shutting down SSH protocol version 1, they need to back it up with some facts to show that SSH1 as implemented in the IDS 4.x sensor is insecure.
=====
That having been said, you can disable SSH protocol version 1 by editing /etc/ssh/sshd_config and restarting the service. What you will lose is the ability to manage keys in the IDS CLI. So you cannot use authorized keys to log into the sensor.
The "copy scp:..." and "upgrade scp:..." commands will fail. When you start an SSH2 client, it will refuse to connect to the remote server because it won't trust the host key.
You also won't be able to manange network devices to perform blocking using the SSH protocol.
05-27-2005 04:03 AM
The only item that showed up on the assessment is that multiple SSH versions are supported. The recommendation is to lock it down to one version.
So basically you are saying that SSH2 will not work or provide the functionality that I get with SSH1. What version is on the IPS 5.0?
Thank you again for the information.
06-01-2005 08:16 AM
As shipped, the SSH server will allow SSH1 and SSH2 clients to connect to the sensor. You can disable one or the other using the service account, and editing /etc/ssh/sshd_config. For example, to disable SSH2, change the line:
#Protocol 2,1
to
Protocol 1
All SSH clients started by the sensor software are restricted to SSH1.
IPS 5.0(2) includes the same openssh-3.7.1p2 as IDS 4.1(4). We will be upgrading to openssh-4.0p1 in a future release of IDS 4.1 and IPS 5.0.
06-01-2005 09:34 AM
Thanks. So if I change this line item to just 1, I should not see anything different in the functionally of the device? Right?
Thanks again,
06-01-2005 09:38 AM
This is a read only fire that is trying to be edited. How do I make this file editable on the device?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide