09-15-2022 03:38 AM
Hello Team,
I have been through lots of Cisco FTD Docs and cannot find the answer, trying not to raise a TAC case for this if it can be avoided.
Does anyone know if you can modify the SSH cipher on FTD by editing "/etc/ssh/sshd_config" on Cisco FTD 2100?
I found that the below Customer is on 6.6.1, not on the affected list, but as you can see no work around.
https://bst.cisco.com/bugsearch/bug/CSCvr20579
Our of the 8 FTD Devices the customer has only 3 flagged with this issue on a pentest.
Solved! Go to Solution.
09-16-2022 04:52 AM
From Cisco TAC
Instructions to execute via CLI and remove the weak ciphers:
Connect from FXOS, to FTD
connect ftd, enter expert mode;
> expert
sudo -i
cat /etc/ssh/sshd_config | grep -e Ciphers -e MAC -e Kex
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
- vim /etc/ssh/sshd_config
- "i" to edit
- remove aes128-cbc,aes192-cbc,aes256-cbc, 3des-cbc from list of ciphers --> wq!
/etc/init.d/sshd restart
Note: SSH connection may be down while restarts. Later you can run a new vulnerability scan to confirm results.
09-15-2022 04:32 AM
- At all times you can 'evaluate' modifications to "/etc/ssh/sshd_config" with
% nmap --script ssh2-enum-algos yourdevice
M.
09-15-2022 04:42 AM
Hello Marce,
Thank you for this, I take it you mean to run this command from expert within the FTD.
Do you have any Cisco Documentation on this.
09-15-2022 05:10 AM
- No ,from an outside system which has nmap installed , linux systems have this native , you can also install it on windows : https://nmap.org/download
M.
09-15-2022 05:17 AM - edited 09-15-2022 05:17 AM
Hi Marce,
Sorry never done this before, so you are saying use NMAP to connect to the FTD and it can be disabled this way correct ?
Sorry if am not following.
09-15-2022 06:07 AM
- The idea is to just launch this command from a remote system, on a Linux box you could just paste the given command. Nmap will then probe the ssh server on the FTD and return the available ciphers. That way it can be established if modifying the sshd config file will list different available ciphers (nmap output) or not.
M.
09-15-2022 06:19 AM
Hi Marce,
That is good to know, but what if I want to change the actual file, how would I do that?
Kind Regards
09-15-2022 10:23 AM
- Probably ( I am not familiar with FTD myself) , you need to be in expert mode and then for instance sudo vi /etc/ssh/sshd_config , you will be prompted for a password , this is the same as the admin password.(To go into the expert mode you type "expert" from the CLISH (FTD CLI))
M.
09-16-2022 04:52 AM
From Cisco TAC
Instructions to execute via CLI and remove the weak ciphers:
Connect from FXOS, to FTD
connect ftd, enter expert mode;
> expert
sudo -i
cat /etc/ssh/sshd_config | grep -e Ciphers -e MAC -e Kex
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
- vim /etc/ssh/sshd_config
- "i" to edit
- remove aes128-cbc,aes192-cbc,aes256-cbc, 3des-cbc from list of ciphers --> wq!
/etc/init.d/sshd restart
Note: SSH connection may be down while restarts. Later you can run a new vulnerability scan to confirm results.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide