Linux SSH的SSL弱加密算法漏洞修复
Linux在做漏洞扫描时,会发现有个名为SSH Weak Encryption Algorithms Supporte的漏洞,这是因为ssh通信时默认使用的加密算法中有部分是不再安全的算法。如:arcfour,arcfour128,arcfour256等都是弱加密算法。
1、扫描Linux SSH默认使用的加密算法列表
[root@blogs-v2 ~]# yum install nmap -y [root@blogs-v2 ~]# nmap --script 'ssh2*' 192.168.0.221 Starting Nmap 6.40 ( http://nmap.org ) at 2022-03-08 15:28 CST Nmap scan report for 192.168.0.221 Host is up (0.0020s latency). Not shown: 998 closed ports PORT STATE SERVICE 22/tcp open ssh | ssh2-enum-algos: | kex_algorithms (12) | curve25519-sha256 | curve25519-sha256@libssh.org | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 | ecdh-sha2-nistp521 | diffie-hellman-group-exchange-sha256 | diffie-hellman-group16-sha512 | diffie-hellman-group18-sha512 | diffie-hellman-group-exchange-sha1 | diffie-hellman-group14-sha256 | diffie-hellman-group14-sha1 | diffie-hellman-group1-sha1 | server_host_key_algorithms (5) | ssh-rsa | rsa-sha2-512 | rsa-sha2-256 | ecdsa-sha2-nistp256 | ssh-ed25519 | encryption_algorithms (12) # 当前使用的SSH加密算法列表 | chacha20-poly1305@openssh.com | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm@openssh.com | aes256-gcm@openssh.com | aes128-cbc | aes192-cbc | aes256-cbc | blowfish-cbc | cast128-cbc | 3des-cbc | mac_algorithms (10) | umac-64-etm@openssh.com | umac-128-etm@openssh.com | hmac-sha2-256-etm@openssh.com | hmac-sha2-512-etm@openssh.com | hmac-sha1-etm@openssh.com | umac-64@openssh.com | umac-128@openssh.com | hmac-sha2-256 | hmac-sha2-512 | hmac-sha1 | compression_algorithms (2) | none |_ zlib@openssh.com 111/tcp open rpcbind Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
2、修改SSH通信默认加密算法
[root@192-168-0-221 ~]# vim /etc/ssh/sshd_config # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server Ciphers aes128-ctr,aes192-ctr,aes256-ctr # 显式指定ssh通讯时使用的加密算法 [root@192-168-0-221 ~]# systemctl restart sshd.service # 重启SSH服务
注:ssh_config和sshd_config都是ssh服务器的配置文件,二者区别在于,前者是针对客户端的配置文件,后者则是针对服务端的配置文件。
3、SSH加密算法修改效果验证
[root@blogs-v2 ~]# nmap --script 'ssh2*' 192.168.0.221 Starting Nmap 6.40 ( http://nmap.org ) at 2022-03-08 15:43 CST Nmap scan report for 192.168.0.221 Host is up (0.0022s latency). Not shown: 998 closed ports PORT STATE SERVICE 22/tcp open ssh | ssh2-enum-algos: | kex_algorithms (12) | curve25519-sha256 | curve25519-sha256@libssh.org | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 | ecdh-sha2-nistp521 | diffie-hellman-group-exchange-sha256 | diffie-hellman-group16-sha512 | diffie-hellman-group18-sha512 | diffie-hellman-group-exchange-sha1 | diffie-hellman-group14-sha256 | diffie-hellman-group14-sha1 | diffie-hellman-group1-sha1 | server_host_key_algorithms (5) | ssh-rsa | rsa-sha2-512 | rsa-sha2-256 | ecdsa-sha2-nistp256 | ssh-ed25519 | encryption_algorithms (3) # 可以看出,SSH通讯加密算法只剩刚才自定义的三个了,说明修改成功 | aes128-ctr | aes192-ctr | aes256-ctr | mac_algorithms (10) | umac-64-etm@openssh.com | umac-128-etm@openssh.com | hmac-sha2-256-etm@openssh.com | hmac-sha2-512-etm@openssh.com | hmac-sha1-etm@openssh.com | umac-64@openssh.com | umac-128@openssh.com | hmac-sha2-256 | hmac-sha2-512 | hmac-sha1 | compression_algorithms (2) | none |_ zlib@openssh.com 111/tcp open rpcbind Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
作者:UStarGao
链接:https://www.starcto.com/safetool/279.html
来源:STARCTO
著作权归作者所有。商业转载请联系作者获得授权,非商业转载请注明出处。
UCloud云平台推荐
随便看看
- 2023-08-18ubuntu修改hosts解析导致sudo命令卡住/hang住
- 2021-04-03Linux使用PaPing进行TCP端口连通性/网络平均延迟探测
- 2021-05-29MySQL 索引介绍
- 2022-03-29Linux RSSD云盘IO性能压测教程-fio
- 2021-01-31Linux安装包管理-Yum仓库配置
