02-23-2022 09:01 AM
A Nessus scan reported several of our devices are allowing weak key exchange algorithms and I have been asked to disable them. I have specifically been asked to disable:
diffie-hellman-group-exchange-sha1
diffie-hellman-group1-sha1
on all devices. I've read various posts and I'm still not sure how to do this. I have found devices where the 'show ip ssh' is essentially the same, but one reports the vulnerability and one doesn't. I have been trying to apply:
crypto key generate rsa label SSH-KEY modulus 2048
ip ssh rsa keypair-name SSH-KEY
ip ssh version 2
ip ssh dh min size 2048
ip ssh server algorithm encryption aes256-ctr
ip ssh server algorithm mac hmac-sha1
line vt 0 15
transport input ssh
everywhere, but this doesn't s