Disable SSH Weak Ciphers

rabubakar · ‎09-25-2017

We are using FortiGate and we noticed that the SSH server is configured to use the weak encryption algorithms (arcfour, arcfour128 & arcfour256, cbc) and mac algorithms (hmac-sha1 and hmac-md5).

My question is:

How to disable CBC mode ciphers and use CTR mode ciphers?

How to disable 96-bit HMAC Algorithms?

How to disable MD5-based HMAC Algorithms?

Thanks.

emnoc · ‎09-25-2017

Try the config sys global cli command

e.g

config sys global

set ssh-cbc-cipher disable set ssh-hmac-md5 disable end

Now run ssh client with -v option

( before the change )

debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none

( now after )

debug1: kex: server->client aes128-ctr hmac-sha1 none debug1: kex: client->server aes128-ctr hmac-sha1 none

You can scroll thru all cipher that the client support and see what is or is not accepted. Check out my post from a few years back on ssh tips

http://socpuppet.blogspot.com/2013/04/ssh-and-ciphers-tipstricks.html

e.g ( build a file with all ciphers to check chain-blocks are disable )

CEHacker:~ kfelix$ for p in ` cat ciphers ` ; do ssh -c $p 11.11.1.6 ; done no matching cipher found: client 3des-cbc server arcfour,aes128-ctr,aes192-ctr,aes256-ctr no matching cipher found: client aes128-cbc server arcfour,aes128-ctr,aes192-ctr,aes256-ctr no matching cipher found: client aes192-cbc server arcfour,aes128-ctr,aes192-ctr,aes256-ctr no matching cipher found: client aes256-cbc server arcfour,aes128-ctr,aes192-ctr,aes256-ctr kfelix@11.11.1.6 password:

I hope that helps

Ken

PCNSE

NSE

StrongSwan

rabubakar · ‎09-27-2017

Hi,

Thanks for your feedback. However, the commands are not available in the CLI.

Firmware: v5.6.0 build1449 (GA)

tanr · ‎09-27-2017

Does 5.6 still have:

config sys global

set strong-crypto enable

emnoc · ‎09-27-2017

Thanks for your feedback. However, the commands are not available in the CLI

show full sys global | grep ssh

PCNSE

NSE

StrongSwan

rabubakar · ‎09-27-2017

emnoc wrote:
Thanks for your feedback. However, the commands are not available in the CLI

show full sys global | grep ssh

# show full sys global | grep ssh set admin-ssh-grace-time 120 set admin-ssh-password enable set admin-ssh-port 22 set admin-ssh-v1 disable

sandeepsutar · ‎09-27-2017

Hi, Did you manage to resolve the issue? With FortiOS 5.6.0 (build 1449) and strong crypto enabled, our security audit too resulted in "SSH Weak MAC Algorithms Enabled" on firewalls. As per the nessus scan, hmac-sha1-96 is still enabled on SSH and we need to disable them. I tried but couldn't find a way to disable it. Please share your inputs.

fl0at0xff · ‎03-18-2019

Hello. I have the same problem. I running 5.6.x and strong crypto is enabled admin-ssh-v1 disable but a lot of weak crypto are still present. I opened a ticket to the support.

I think you can set to "disable" the global setting "ssh-kex-sha1" to prevent using SHA-1 in the process of Keys exchange.

Ivanr4g63 · ‎04-19-2019

fl0at0xff wrote:
Hello. I have the same problem. I running 5.6.x and strong crypto is enabled admin-ssh-v1 disable but a lot of weak crypto are still present. I opened a ticket to the support.

I think you can set to "disable" the global setting "ssh-kex-sha1" to prevent using SHA-1 in the process of Keys exchange.

Hello - were you able to resolve?

I have the same issue on our 320c FortiAPs - Our wireless controller being the Fortigate 900D with 6.0.4 Firmware.

I've tried disabling all noted above with no luck, we're still getting same "SSH Weak MAC Algorithms Enabled" with Nessus.

Any pointers greatly appreciated!

kphed · ‎06-02-2019

To All Whom are Reporting This Issue:

1) Were the source IPs performing the scan set as "trust hosts" on any administrative accounts?

2) Are all administrative accounts locked down to specific trust hosts?