cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1080
Views
0
Helpful
8
Replies

Modifying SSH cipher on FTD by editing "/etc/ssh/sshd_config"

Grizzelz
Beginner
Beginner

Hello Team,

I have been through lots of Cisco FTD Docs and cannot find the answer, trying not to raise a TAC case for this if it can be avoided.

Does anyone know if you can modify the SSH cipher on FTD by editing "/etc/ssh/sshd_config" on Cisco FTD 2100?

I found that the below Customer is on 6.6.1, not on the affected list, but as you can see no work around.

https://bst.cisco.com/bugsearch/bug/CSCvr20579

Our of the 8 FTD Devices the customer has only 3 flagged with this issue on a pentest.

 

1 Accepted Solution

Accepted Solutions

From Cisco TAC

 

 

Instructions to execute via CLI and remove the weak ciphers:

 

Connect from FXOS, to FTD

 

connect ftd, enter expert mode;

 

> expert

 

  1. Change to root:

 

sudo  -i

 

  1. To see existing ciphers,

 

cat /etc/ssh/sshd_config | grep -e Ciphers -e MAC -e Kex

 

  1. Make a copy of the original SSH daemon configuration file:

 

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.orig

 

  1. Execute the following command to remove the CBC ciphers from the SSH daemon configuration:

 

- vim /etc/ssh/sshd_config

- "i" to edit

- remove aes128-cbc,aes192-cbc,aes256-cbc, 3des-cbc from list of ciphers --> wq!

 

  1. Restart the SSH daemon:

 

/etc/init.d/sshd restart

 

Note: SSH connection may be down while restarts. Later you can run a new vulnerability scan to confirm results.

View solution in original post

8 Replies 8

marce1000
VIP Mentor VIP Mentor
VIP Mentor

 

                       - At all times you can 'evaluate' modifications to "/etc/ssh/sshd_config" with 

% nmap --script ssh2-enum-algos yourdevice

 M.

Hello Marce,

Thank you for this, I take it you mean to run this command from expert within the FTD.

Do you have any Cisco Documentation on this.

 

 - No ,from an outside system which has nmap installed , linux systems have this native , you can also install it on windows : https://nmap.org/download

 M.

Hi Marce,

Sorry never done this before, so you are saying use NMAP to connect to the FTD and it can be disabled this way correct ?

Sorry if am not following.

 

 

 

 - The idea is to just launch this command from a remote system, on a Linux box you could just paste the given command. Nmap will then probe the ssh server on the FTD and return the available ciphers. That way it can be established if modifying the sshd config file will list different available ciphers (nmap output) or not.

 M.

Hi Marce,

That is good to know, but what if I want to change the actual file, how would I do that?

 

 

Kind Regards

 

 

 - Probably ( I am not familiar with FTD myself) , you need to be in expert mode and then for instance sudo vi /etc/ssh/sshd_config , you will be prompted for a password , this is the same as the admin password.(To go into the expert mode you type "expert" from the CLISH (FTD CLI))

 M.

From Cisco TAC

 

 

Instructions to execute via CLI and remove the weak ciphers:

 

Connect from FXOS, to FTD

 

connect ftd, enter expert mode;

 

> expert

 

  1. Change to root:

 

sudo  -i

 

  1. To see existing ciphers,

 

cat /etc/ssh/sshd_config | grep -e Ciphers -e MAC -e Kex

 

  1. Make a copy of the original SSH daemon configuration file:

 

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.orig

 

  1. Execute the following command to remove the CBC ciphers from the SSH daemon configuration:

 

- vim /etc/ssh/sshd_config

- "i" to edit

- remove aes128-cbc,aes192-cbc,aes256-cbc, 3des-cbc from list of ciphers --> wq!

 

  1. Restart the SSH daemon:

 

/etc/init.d/sshd restart

 

Note: SSH connection may be down while restarts. Later you can run a new vulnerability scan to confirm results.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: