使用tenable nessus工具扫描的时候,提示ssh的端口存在低风险(low vulnerability):SSH Server CBC Mode Ciphers Enabled。
解决步骤:
在机器上先直接 man sshd_config(最好查看英文文档,如果系统使用其他语言,建议命令是 LANG=en_US.utf8 man sshd_config), 然后在Ciphers那节能看到关于加密算法的一些说明,如下:
Ciphers
Specifies the ciphers allowed. Multiple ciphers must be comma-separated. If the specified value begins with a ‘+’ charac‐
ter, then the specified ciphers will be appended to the default set instead of replacing them.
The supported ciphers are:
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
arcfour
arcfour128
arcfour256
blowfish-cbc
cast128-cbc
chacha20-poly1305@openssh.com
The default is:
chacha20-poly1305@openssh.com,
aes128-ctr,aes192-ctr,aes256-ctr,
aes128-gcm@openssh.com,aes256-gcm@openssh.com,
aes128-cbc,aes192-cbc,aes256-cbc,
blowfish-cbc,cast128-cbc,3des-cbc
The list of available ciphers may also be obtained using "ssh -Q cipher". (即supported ciphers)
将上面默认的算法中("The default is:"下面列出的算法)带-cbc后缀的去掉,然后将剩下的算法组成用逗号分隔的一行,前面加上Ciphers
关键字,如下所示:
Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
检查/etc/ssh/sshd_config
如 grep -i ciphers /etc/ssh/sshd_config
应该只有被注释的一行 # Ciphers and keying
然后将上面的Ciphers ... 那行添加到/etc/ssh/sshd_config文件的末尾,然后重启sshd服务(systemctl restart sshd),然后重新扫描的低风险点就消除了。