Trustwave - Insecure ARCFOUR encryption

[Serra]

I've got a new Trustwave wrinkle:

Insecure ARCFOUR Encryption: arcfour, arfour128 and arcfour256 on port 22.
and "SSH arcfour encryption algorithms supported"

I checked /etc/ssh/ssh_config, but the ciphers are commented out. Where are the ciphers set for ssh? (they aren't in sshd_config either)

Anyone using an approved cipher list?

 

[cPanelMichael]

Hello,

You should edit the /etc/ssh/sshd_config file to change the SSH configuration and use custom ciphers (Using the "Ciphers" line). Information on editing the /etc/ssh/sshd_config file is available at:

https://documentation.cpanel.net/display/CKB/How+to+Secure+SSH

In addition, you may find this StackOverflow thread helpful regarding those specific ciphers:

What are the differences between the arcfour, arcfour128 and arcfour256 ciphers in OpenSSH?

Thank you.

 

[Serra]

I already knew all that, my issue is that the ciphers line is currently commented out of the ssh config line. As such, I don't know what the current cipher suite is. This is problematic because uncommenting the line could do nothing or drastically change the ciphers in use. Doing nothing doesn't seem so bad, drastically changing the cipher suite could be a disaster that takes days or weeks of problems with clients to fix.

So, is the cipher suite that is commented out the same as what is in use? What is in use? Is there a way to find out?

 

[cPanelMichael]

Hello,

The lack of an entry indicates the default cipher list is utilized. You can use the following command to view the default list:

man ssh_config

Here's the entry for "Ciphers" from that output:

Ciphers
Specifies the ciphers allowed for protocol version 2 in order of
preference. Multiple ciphers must be comma-separated. The sup‐
ported ciphers are:

“3des-cbc”, “aes128-cbc”, “aes192-cbc”, “aes256-cbc”,
“aes128-ctr”, “aes192-ctr”, “aes256-ctr”,
“[email protected]”, “[email protected]”, “arcfour128”,
“arcfour256”, “arcfour”, “blowfish-cbc”, “cast128-cbc”, and
“[email protected]”.

The default is:

aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
[email protected],[email protected],
[email protected],
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
aes256-cbc,arcfour

The list of available ciphers may also be obtained using the -Q
option of ssh(1).

You would configure the new "Ciphers" line the default ciphers, separated by commas, adding/removing entries to achieve PCI compliance.

We're currently exploring methods of ensuring SSH is PCI compliant by default in case CPANEL-7585. There's no time frame to offer at this time, but I'll update this thread with more information on the status of that case as it becomes available.

Thank you.

 

[Serra]

Just for reference, the change for this to PCI Compliance on the SSH port is:

In /etc/ssh/sshd_config add the following line:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc

This should leave only PCI complaint ciphers.

Make sure you test this, restart sshd:

service sshd restart

Then attempt to log in while leaving your original SSH window open. If you can't login, undo the change and restart. If you log out, you may not be able to log back in if it doesn't work.