We are using FortiGate and we noticed that the SSH server is configured to use the weak encryption algorithms (arcfour, arcfour128 & arcfour256, cbc) and mac algorithms (hmac-sha1 and hmac-md5).
My question is:
How to disable CBC mode ciphers and use CTR mode ciphers?
How to disable 96-bit HMAC Algorithms?
How to disable MD5-based HMAC Algorithms?
Thanks.
Try the config sys global cli command
e.g
config sys global
set ssh-cbc-cipher disable set ssh-hmac-md5 disable end
Now run ssh client with -v option
( before the change )
debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none
( now after )
debug1: kex: server->client aes128-ctr hmac-sha1 none debug1: kex: client->server aes128-ctr hmac-sha1 none
You can scroll thru all cipher that the client support and see what is or is not accepted. Check out my post from a few years back on ssh tips
http://socpuppet.blogspot.com/2013/04/ssh-and-ciphers-tipstricks.html
e.g ( build a file with all ciphers to check chain-blocks are disable )
CEHacker:~ kfelix$ for p in ` cat ciphers ` ; do ssh -c $p 11.11.1.6 ; done no matching cipher found: client 3des-cbc server arcfour,aes128-ctr,aes192-ctr,aes256-ctr no matching cipher found: client aes128-cbc server arcfour,aes128-ctr,aes192-ctr,aes256-ctr no matching cipher found: client aes192-cbc server arcfour,aes128-ctr,aes192-ctr,aes256-ctr no matching cipher found: client aes256-cbc server arcfour,aes128-ctr,aes192-ctr,aes256-ctr kfelix@11.11.1.6 password:
I hope that helps
Ken
PCNSE
NSE
StrongSwan
Hi,
Thanks for your feedback. However, the commands are not available in the CLI.
Firmware: v5.6.0 build1449 (GA)
Does 5.6 still have:
config sys global
set strong-crypto enable
Thanks for your feedback. However, the commands are not available in the CLI
show full sys global | grep ssh
PCNSE
NSE
StrongSwan
emnoc wrote:Thanks for your feedback. However, the commands are not available in the CLI
show full sys global | grep ssh
# show full sys global | grep ssh set admin-ssh-grace-time 120 set admin-ssh-password enable set admin-ssh-port 22 set admin-ssh-v1 disable
Hello. I have the same problem. I running 5.6.x and strong crypto is enabled admin-ssh-v1 disable but a lot of weak crypto are still present. I opened a ticket to the support.
I think you can set to "disable" the global setting "ssh-kex-sha1" to prevent using SHA-1 in the process of Keys exchange.
fl0at0xff wrote:Hello - were you able to resolve?Hello. I have the same problem. I running 5.6.x and strong crypto is enabled admin-ssh-v1 disable but a lot of weak crypto are still present. I opened a ticket to the support.
I think you can set to "disable" the global setting "ssh-kex-sha1" to prevent using SHA-1 in the process of Keys exchange.
I have the same issue on our 320c FortiAPs - Our wireless controller being the Fortigate 900D with 6.0.4 Firmware.
I've tried disabling all noted above with no luck, we're still getting same "SSH Weak MAC Algorithms Enabled" with Nessus.
Any pointers greatly appreciated!
To All Whom are Reporting This Issue:
1) Were the source IPs performing the scan set as "trust hosts" on any administrative accounts?
2) Are all administrative accounts locked down to specific trust hosts?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.