Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1904
Views
0
Helpful
8
Replies

SSH Vulnerability

Vinod Ola
Level 1
Level 1

‎05-06-2022 04:03 AM

Hi There- We have received ssh vulnerability scanned by Rapid7 and I can't see that encryption in switch configuration as we already using SSH version2

 

SSH Birthday attacks on 64-bit block ciphers (SWEET32) (Recommendation is to disable 3DES)

Labels:
0 Helpful
8 Replies 8

balaji.bandi
Hall of Fame
Hall of Fame

‎05-06-2022 04:21 AM

go to switch and issue -  show ip ssh - will give you all the cipher suite for you.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Vinod Ola
Level 1
Level 1
In response to balaji.bandi

‎05-06-2022 04:39 AM

It's not showing when I  run show ip ssh

please see below 

sho ip ssh
SSH Enabled - version 2.0
Authentication timeout: 60 secs; Authentication retries: 2

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Vinod Ola

‎05-06-2022 05:10 AM

What is the device Model, what ios Code running :

What you see the Logs

 

when you issue show ip ssh (you see what ciphers accepted)

 

example :

 

#show ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512
Hostkey Algorithms:x509v3-ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-rsa
Encryption Algorithms:aes128-gcm,aes256-gcm,aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
KEX Algorithms:ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Vinod Ola
Level 1
Level 1
In response to balaji.bandi

‎05-08-2022 09:32 PM

Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 28 WS-C2960S-24TS-L 12.2(55)SE8 C2960S-UNIVERSALK9-M

-----------------------------------------------------------

sho ip ssh
SSH Enabled - version 2.0
Authentication timeout: 60 secs; Authentication retries: 2

---------------------------------------------------------

There is nothing in logs related to ssh

0 Helpful

Vinod Ola
Level 1
Level 1
In response to Vinod Ola

‎05-12-2022 03:43 AM

Hi Everyone, Can anyone suggest the fix for above issue?

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Vinod Ola

‎05-12-2022 05:22 AM

try change as below (do it in maintenance window)

 

#config t
(config)#ip domain-name yourdomain.com
(config)#crypto key generate rsa

1024 or 2038

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Vinod Ola
Level 1
Level 1
In response to balaji.bandi

‎05-12-2022 09:31 PM

it's already configured as you mentioned. 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Vinod Ola

‎05-13-2022 06:23 AM

reconfigure again

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents