Disable SSH Weak Key Exchange Algorithms
-
Pardon, missed the key part:
The following weak key exchange algorithms are enabled :
diffie-hellman-group-exchange-sha1
rsa1024-sha1 -
And a few more ssh related configuration things:
The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to recover the plaintext message from the ciphertext.
The following server-to-client Cipher Block Chaining (CBC) algorithms
are supported :3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
cast128-cbc -
and a final piece:
The remote SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak.
The following client-to-server Message Authentication Code (MAC) algorithms
are supported :hmac-sha1-96
-
https://docs.cloudron.io/security/#securing-ssh-access
If you use SSH Keys (EdDSA, not RSA!) as per recommendation (although the basic server config is out of Cloudron’s purview) this doesn‘t really matter, I believe….
-
@potemkin_ai you are free to edit the SSH config as you like. We rely on the default SSHD config (this , in turn comes from your VPS provider and Ubuntu images).
@girish yeah, I know.
I wonder why across many similarly configured boxes with the same base ubuntu with the same base sshd only cloudron enabled boxes have that issue.
And since across multiple boxes with the same base os and configs only cloudron produce that kind of message I reported it here.
-
@potemkin_ai do you see any change in sshd configs between them? We only add a single comment to sshd.
@girish nop. I also checked that, but there are no differences in the configs (apart from the port number)
-
@potemkin_ai Is there a way I can run these tests myself?
-
@girish sure - just run Nessus full security scan against your server.
-
@potemkin_ai No idea what that is. Do you have a link? Is it an online service or something to download ? Also, have you tried asking them about the discrepancy ? If ssh configs are the same, what else could be different?
@girish Nessus is a very old security scanner: https://nessus.org/
No ideas, to be honest... that's why I thought to raise it to you.
