Disable SSH Weak Key Exchange Algorithms
-
Pardon, missed the key part:
The following weak key exchange algorithms are enabled :
diffie-hellman-group-exchange-sha1
rsa1024-sha1 -
And a few more ssh related configuration things:
The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to recover the plaintext message from the ciphertext.
The following server-to-client Cipher Block Chaining (CBC) algorithms
are supported :3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
cast128-cbc -
and a final piece:
The remote SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak.
The following client-to-server Message Authentication Code (MAC) algorithms
are supported :hmac-sha1-96
-
https://docs.cloudron.io/security/#securing-ssh-access
If you use SSH Keys (EdDSA, not RSA!) as per recommendation (although the basic server config is out of Cloudron’s purview) this doesn‘t really matter, I believe….
-
@girish yeah, I know.
I wonder why across many similarly configured boxes with the same base ubuntu with the same base sshd only cloudron enabled boxes have that issue.
And since across multiple boxes with the same base os and configs only cloudron produce that kind of message I reported it here.
-
@potemkin_ai No idea what that is. Do you have a link? Is it an online service or something to download ? Also, have you tried asking them about the discrepancy ? If ssh configs are the same, what else could be different?
-
@girish Nessus is a very old security scanner: https://nessus.org/
No ideas, to be honest... that's why I thought to raise it to you.
