又到了弱掃的時間
昨天看報告
有二個問題
Vulnerability Detection Result
The remote SSH server supports the following weak KEX algorithm(s):
KEX algorithm | Reason
------------------------------------------------
diffie-hellman-group-exchange-sha1 | Using SHA-1
Vulnerability Detection Result
The remote SSH server supports the following weak client-to-server encryption algorithm(s):
aes128-cbc
aes256-cbc
The remote SSH server supports the following weak server-to-client encryption algorithm(s):
aes128-cbc
aes256-cbc
想說改一下 /etc/ssh/sshd_config就可以了
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
沒想到重掃還是一樣
因為每次掃都要花很多時間
所以使用 nmap 特別針對ssh server來掃
nmap --script ssh2-enum-algos -sV -p 22 10.0.0.1
Starting Nmap 7.80 ( https://nmap.org ) at 2025-01-21 13:47 CST
Nmap scan report for 10.0.0.1
Host is up (0.00079s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh2-enum-algos:
| kex_algorithms: (12)
| curve25519-sha256
| curve25519-sha256@libssh.org
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| diffie-hellman-group-exchange-sha256
| diffie-hellman-group14-sha256
| diffie-hellman-group16-sha512
| diffie-hellman-group18-sha512
| diffie-hellman-group-exchange-sha1
| diffie-hellman-group14-sha1
| kex-strict-s-v00@openssh.com
| server_host_key_algorithms: (5)
| rsa-sha2-512
| rsa-sha2-256
| ssh-rsa
| ecdsa-sha2-nistp256
| ssh-ed25519
| encryption_algorithms: (7)
| aes256-gcm@openssh.com
| chacha20-poly1305@openssh.com
| aes256-ctr
| aes256-cbc
| aes128-gcm@openssh.com
| aes128-ctr
| aes128-cbc
| mac_algorithms: (8)
| hmac-sha2-256-etm@openssh.com
| hmac-sha1-etm@openssh.com
| umac-128-etm@openssh.com
| hmac-sha2-512-etm@openssh.com
| hmac-sha2-256
| hmac-sha1
| umac-128@openssh.com
| hmac-sha2-512
| compression_algorithms: (2)
| none
|_ zlib@openssh.com
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds
果然還是沒用
找了半天資料 才找到解決方法
先處理
aes128-cbc
aes256-cbc
先建一個文件內容如下
vi /etc/crypto-policies/policies/modules/DISABLE-CBC.pmod
cipher = -AES-128-CBC -AES-256-CBC
ssh_cipher = -AES-128-CBC -AES-256-CBC
更新加密策略
update-crypto-policies --set DEFAULT:DISABLE-CBC
再來處理
diffie-hellman-group-exchange-sha1
vi /etc/crypto-policies/back-ends/opensshserver.config
刪除以下文字
,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
重啟 sshd
systemctl restart sshd
再跑一次
nmap --script ssh2-enum-algos -sV -p 22 10.0.0.1
Starting Nmap 7.80 ( https://nmap.org ) at 2025-01-21 13:59 CST
Nmap scan report for 10.0.0.1
Host is up (0.00077s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh2-enum-algos:
| kex_algorithms: (10)
| curve25519-sha256
| curve25519-sha256@libssh.org
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| diffie-hellman-group-exchange-sha256
| diffie-hellman-group14-sha256
| diffie-hellman-group16-sha512
| diffie-hellman-group18-sha512
| kex-strict-s-v00@openssh.com
| server_host_key_algorithms: (5)
| rsa-sha2-512
| rsa-sha2-256
| ssh-rsa
| ecdsa-sha2-nistp256
| ssh-ed25519
| encryption_algorithms: (5)
| aes256-gcm@openssh.com
| chacha20-poly1305@openssh.com
| aes256-ctr
| aes128-gcm@openssh.com
| aes128-ctr
| mac_algorithms: (8)
| hmac-sha2-256-etm@openssh.com
| hmac-sha1-etm@openssh.com
| umac-128-etm@openssh.com
| hmac-sha2-512-etm@openssh.com
| hmac-sha2-256
| hmac-sha1
| umac-128@openssh.com
| hmac-sha2-512
| compression_algorithms: (2)
| none
|_ zlib@openssh.com
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds
已經全部修正
再重掃一次也沒問題了
