Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4935
Views
0
Helpful
8
Replies

Modifying SSH cipher on FTD by editing "/etc/ssh/sshd_config"

Go to solution
Grizzelz
Level 1
Level 1

‎09-15-2022 03:38 AM

Hello Team,

I have been through lots of Cisco FTD Docs and cannot find the answer, trying not to raise a TAC case for this if it can be avoided.

Does anyone know if you can modify the SSH cipher on FTD by editing "/etc/ssh/sshd_config" on Cisco FTD 2100?

I found that the below Customer is on 6.6.1, not on the affected list, but as you can see no work around.

https://bst.cisco.com/bugsearch/bug/CSCvr20579

Our of the 8 FTD Devices the customer has only 3 flagged with this issue on a pentest.

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Grizzelz
Level 1
Level 1
In response to marce1000

‎09-16-2022 04:52 AM

From Cisco TAC

 

 

Instructions to execute via CLI and remove the weak ciphers:

 

Connect from FXOS, to FTD

 

connect ftd, enter expert mode;

 

> expert

 

  1. Change to root:

 

sudo  -i

 

  1. To see existing ciphers,

 

cat /etc/ssh/sshd_config | grep -e Ciphers -e MAC -e Kex

 

  1. Make a copy of the original SSH daemon configuration file:

 

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.orig

 

  1. Execute the following command to remove the CBC ciphers from the SSH daemon configuration:

 

- vim /etc/ssh/sshd_config

- "i" to edit

- remove aes128-cbc,aes192-cbc,aes256-cbc, 3des-cbc from list of ciphers --> wq!

 

  1. Restart the SSH daemon:

 

/etc/init.d/sshd restart

 

Note: SSH connection may be down while restarts. Later you can run a new vulnerability scan to confirm results.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
marce1000
VIP
VIP

‎09-15-2022 04:32 AM

 

                       - At all times you can 'evaluate' modifications to "/etc/ssh/sshd_config" with 

% nmap --script ssh2-enum-algos yourdevice

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Go to solution
Grizzelz
Level 1
Level 1
In response to marce1000

‎09-15-2022 04:42 AM

Hello Marce,

Thank you for this, I take it you mean to run this command from expert within the FTD.

Do you have any Cisco Documentation on this.

0 Helpful

Go to solution
marce1000
VIP
VIP
In response to Grizzelz

‎09-15-2022 05:10 AM

 

 - No ,from an outside system which has nmap installed , linux systems have this native , you can also install it on windows : https://nmap.org/download

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Go to solution
Grizzelz
Level 1
Level 1
In response to marce1000

‎09-15-2022 05:17 AM - edited ‎09-15-2022 05:17 AM

Hi Marce,

Sorry never done this before, so you are saying use NMAP to connect to the FTD and it can be disabled this way correct ?

Sorry if am not following.

 

 

0 Helpful

Go to solution
marce1000
VIP
VIP
In response to Grizzelz

‎09-15-2022 06:07 AM

 

 - The idea is to just launch this command from a remote system, on a Linux box you could just paste the given command. Nmap will then probe the ssh server on the FTD and return the available ciphers. That way it can be established if modifying the sshd config file will list different available ciphers (nmap output) or not.

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Go to solution
Grizzelz
Level 1
Level 1
In response to marce1000

‎09-15-2022 06:19 AM

Hi Marce,

That is good to know, but what if I want to change the actual file, how would I do that?

 

 

Kind Regards

 

0 Helpful

Go to solution
marce1000
VIP
VIP
In response to Grizzelz

‎09-15-2022 10:23 AM

 

 - Probably ( I am not familiar with FTD myself) , you need to be in expert mode and then for instance sudo vi /etc/ssh/sshd_config , you will be prompted for a password , this is the same as the admin password.(To go into the expert mode you type "expert" from the CLISH (FTD CLI))

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Go to solution
Grizzelz
Level 1
Level 1
In response to marce1000

‎09-16-2022 04:52 AM

From Cisco TAC

 

 

Instructions to execute via CLI and remove the weak ciphers:

 

Connect from FXOS, to FTD

 

connect ftd, enter expert mode;

 

> expert

 

  1. Change to root:

 

sudo  -i

 

  1. To see existing ciphers,

 

cat /etc/ssh/sshd_config | grep -e Ciphers -e MAC -e Kex

 

  1. Make a copy of the original SSH daemon configuration file:

 

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.orig

 

  1. Execute the following command to remove the CBC ciphers from the SSH daemon configuration:

 

- vim /etc/ssh/sshd_config

- "i" to edit

- remove aes128-cbc,aes192-cbc,aes256-cbc, 3des-cbc from list of ciphers --> wq!

 

  1. Restart the SSH daemon:

 

/etc/init.d/sshd restart

 

Note: SSH connection may be down while restarts. Later you can run a new vulnerability scan to confirm results.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card