Trustwave - Insecure ARCFOUR encryption

Serra

Well-Known Member
Oct 27, 2005
272
21
168
Florida
I've got a new Trustwave wrinkle:

Insecure ARCFOUR Encryption: arcfour, arfour128 and arcfour256 on port 22.
and "SSH arcfour encryption algorithms supported"

I checked /etc/ssh/ssh_config, but the ciphers are commented out. Where are the ciphers set for ssh? (they aren't in sshd_config either)

Anyone using an approved cipher list?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,250
463

Serra

Well-Known Member
Oct 27, 2005
272
21
168
Florida
I already knew all that, my issue is that the ciphers line is currently commented out of the ssh config line. As such, I don't know what the current cipher suite is. This is problematic because uncommenting the line could do nothing or drastically change the ciphers in use. Doing nothing doesn't seem so bad, drastically changing the cipher suite could be a disaster that takes days or weeks of problems with clients to fix.

So, is the cipher suite that is commented out the same as what is in use? What is in use? Is there a way to find out?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,250
463
Hello,

The lack of an entry indicates the default cipher list is utilized. You can use the following command to view the default list:

Code:
man ssh_config
Here's the entry for "Ciphers" from that output:

Ciphers
Specifies the ciphers allowed for protocol version 2 in order of
preference. Multiple ciphers must be comma-separated. The sup‐
ported ciphers are:

“3des-cbc”, “aes128-cbc”, “aes192-cbc”, “aes256-cbc”,
“aes128-ctr”, “aes192-ctr”, “aes256-ctr”,
[email protected]”, “[email protected]”, “arcfour128”,
“arcfour256”, “arcfour”, “blowfish-cbc”, “cast128-cbc”, and
[email protected]”.

The default is:

aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
[email protected],[email protected],
[email protected],
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
aes256-cbc,arcfour

The list of available ciphers may also be obtained using the -Q
option of ssh(1).
You would configure the new "Ciphers" line the default ciphers, separated by commas, adding/removing entries to achieve PCI compliance.

We're currently exploring methods of ensuring SSH is PCI compliant by default in case CPANEL-7585. There's no time frame to offer at this time, but I'll update this thread with more information on the status of that case as it becomes available.

Thank you.
 

Serra

Well-Known Member
Oct 27, 2005
272
21
168
Florida
Just for reference, the change for this to PCI Compliance on the SSH port is:

In /etc/ssh/sshd_config add the following line:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc

This should leave only PCI complaint ciphers.

Make sure you test this, restart sshd:

service sshd restart

Then attempt to log in while leaving your original SSH window open. If you can't login, undo the change and restart. If you log out, you may not be able to log back in if it doesn't work.
 
  • Like
Reactions: cPanelMichael