When doing a Nessus scan for the first time on the new SRX320 cluster it highlighted some weaknesses in the SSH protocol. This was due to arcfour, cbc and hmac being enabled by default.
So to remedy this we need to set the acceptable levels of ciphers etc.
Using the CLI a simple change to the config for the SSH service is required, under
system services ssh.
# edit system services ssh # set ciphers [ aes256-ctr "email@example.com" "firstname.lastname@example.org" ]; # set macs [ hmac-sha2-256 "email@example.com" hmac-sha2-512 "firstname.lastname@example.org" ]; # set key-exchange [ curve25519-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 group-exchange-sha2 ]
Commit the changes and rescan and all is good.