When doing a Nessus scan for the first time on the new SRX320 cluster it highlighted some weaknesses in the SSH protocol. This was due to arcfour, cbc and hmac being enabled by default.
So to remedy this we need to set the acceptable levels of ciphers etc.
Using the CLI a simple change to the config for the SSH service is required, under
system services ssh.
# edit system services ssh # set ciphers [ aes256-ctr "email@example.com" "firstname.lastname@example.org" ]; # set macs [ hmac-sha2-256 "email@example.com" hmac-sha2-512 "firstname.lastname@example.org" ]; # set key-exchange [ curve25519-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 group-exchange-sha2 ]
Commit the changes and rescan and all is good.
Results from NMAP scan after making the changes:
$ nmap --script ssh2-enum-algos 192.168.0.250 -p22 Starting Nmap 7.40 ( https://nmap.org ) at 2017-07-31 11:23 BST Nmap scan report for srx10069.domain.local (192.168.0.250) Host is up (0.0016s latency). PORT STATE SERVICE 22/tcp open ssh | ssh2-enum-algos: | kex_algorithms: (5) | email@example.com | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 | ecdh-sha2-nistp521 | diffie-hellman-group-exchange-sha256 | server_host_key_algorithms: (4) | ssh-rsa | ssh-dss | ecdsa-sha2-nistp256 | ssh-ed25519 | encryption_algorithms: (3) | aes256-ctr | firstname.lastname@example.org | email@example.com | mac_algorithms: (4) | hmac-sha2-256 | firstname.lastname@example.org | hmac-sha2-512 | email@example.com | compression_algorithms: (2) | none |_ firstname.lastname@example.org Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds