The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Trustwave - Insecure ARCFOUR encryption

Discussion in 'Security' started by Serra, Sep 21, 2016.

Tags:
  1. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    213
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Florida
    I've got a new Trustwave wrinkle:

    Insecure ARCFOUR Encryption: arcfour, arfour128 and arcfour256 on port 22.
    and "SSH arcfour encryption algorithms supported"

    I checked /etc/ssh/ssh_config, but the ciphers are commented out. Where are the ciphers set for ssh? (they aren't in sshd_config either)

    Anyone using an approved cipher list?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  3. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    213
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Florida
    I already knew all that, my issue is that the ciphers line is currently commented out of the ssh config line. As such, I don't know what the current cipher suite is. This is problematic because uncommenting the line could do nothing or drastically change the ciphers in use. Doing nothing doesn't seem so bad, drastically changing the cipher suite could be a disaster that takes days or weeks of problems with clients to fix.

    So, is the cipher suite that is commented out the same as what is in use? What is in use? Is there a way to find out?
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    The lack of an entry indicates the default cipher list is utilized. You can use the following command to view the default list:

    Code:
    man ssh_config
    Here's the entry for "Ciphers" from that output:

    You would configure the new "Ciphers" line the default ciphers, separated by commas, adding/removing entries to achieve PCI compliance.

    We're currently exploring methods of ensuring SSH is PCI compliant by default in case CPANEL-7585. There's no time frame to offer at this time, but I'll update this thread with more information on the status of that case as it becomes available.

    Thank you.
     
Loading...

Share This Page