某日在用nessus对新上线业务做漏扫时,报告中扫出如下问题:
SSH Server CBC Mode Ciphers Enabled
SSH Weak MAC Algorithms Enabled
nessus修复建议:关闭CBC加密模式,开启CTR或GCM加密模式。
Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption.我们通过root修改/etc/ssh/sshd_config 将CBC模式注释掉增加CTR模式
vi /etc/ssh/sshd_config
# default is aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
# aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
# aes256-cbc,arcfour
# you can removed the cbc ciphers by adding the line
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour
# default is hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
# you can remove the hmac-md5 MACs with
MACs hmac-sha1,hmac-ripemd160顺便把SSH Weak MAC Algorithms Enabled这个问题也解决一下
一堆Linux的解法,都沒人用windows遇到這個問題嗎?