Stuff I'm Up To

Technical Ramblings

SRX SSH Ciphers, Algorithms & Key Exchange — July 31, 2017

SRX SSH Ciphers, Algorithms & Key Exchange

When doing a Nessus scan for the first time on the new SRX320 cluster it highlighted some weaknesses in the SSH protocol. This was due to arcfour, cbc and hmac being enabled by default.

So to remedy this we need to set the acceptable levels of ciphers etc.

Using the CLI a simple change to the config for the SSH service is required, under system services ssh.

# edit system services ssh
# set ciphers [ aes256-ctr "aes256-gcm@openssh.com" "chacha20-poly1305@openssh.com" ];
# set macs [ hmac-sha2-256 "hmac-sha2-256-etm@openssh.com" hmac-sha2-512 "hmac-sha2-512-etm@openssh.com" ];
# set key-exchange [ curve25519-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 group-exchange-sha2 ]

Commit the changes and rescan and all is good.

Continue reading

Advertisements
SSH Logon with Private Key — March 1, 2017
SSH Weak MAC Algorithms Enabled — February 15, 2017
SSH Tunnelling — September 27, 2016
Debian Installation — September 20, 2016

Debian Installation

When I setup a Debian server there’s a few basic things I do to get it online.

First steps boot from the netinst CD and follow the installer.

First logon using SSH as your regular user account as root can’t access the system remotely. So you’ll have to logon unprivileged and then su to root.

$ su

Sudo

Then before doing anything else install sudo and give your user account access by making them a member of the sudo group.

# apt-get install sudo
# usermod -a -G sudo [user]

You’ll have to logout and back in to pick-up the sudo group change.

Continue reading