Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Discuss
  3. Disable SSH Weak Key Exchange Algorithms

Disable SSH Weak Key Exchange Algorithms

Scheduled Pinned Locked Moved Discuss
13 Posts 3 Posters 8.2k Views 3 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • potemkin_aiP Offline
    potemkin_aiP Offline
    potemkin_ai
    wrote on last edited by
    #1

    Nessus shows that my servers with Cloudron (and only those servers) installed has weak ssh key exchange algorithms enables:

    The remote SSH server is configured to allow key exchange algorithms which are considered weak.

    This is based on the IETF draft document Key Exchange (KEX) Method Updates and Recommendations for Secure Shell (SSH) draft-ietf-curdle-ssh-kex-sha2-20. Section 4 lists guidance on key exchange algorithms that SHOULD NOT and MUST NOT be enabled. This includes:

    diffie-hellman-group-exchange-sha1

    diffie-hellman-group1-sha1

    gss-gex-sha1-*

    gss-group1-sha1-*

    gss-group14-sha1-*

    rsa1024-sha1

    Note that this plugin only checks for the options of the SSH server, and it does not check for vulnerable software versions.

    See Also
    http://www.nessus.org/u?b02d91cd
    https://datatracker.ietf.org/doc/html/rfc8732

    From what I understood, cloudron only works with the port, but from numerous servers configured the same way from the same Ubuntu, only my servers with Cloudron got this issue.

    1 Reply Last reply
    1
    • potemkin_aiP Offline
      potemkin_aiP Offline
      potemkin_ai
      wrote on last edited by
      #2

      Pardon, missed the key part:

      The following weak key exchange algorithms are enabled :

      diffie-hellman-group-exchange-sha1
      rsa1024-sha1

      1 Reply Last reply
      0
      • potemkin_aiP Offline
        potemkin_aiP Offline
        potemkin_ai
        wrote on last edited by
        #3

        And a few more ssh related configuration things:

        The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to recover the plaintext message from the ciphertext.

        The following server-to-client Cipher Block Chaining (CBC) algorithms
        are supported :

        3des-cbc
        aes128-cbc
        aes192-cbc
        aes256-cbc
        cast128-cbc

        1 Reply Last reply
        0
        • potemkin_aiP Offline
          potemkin_aiP Offline
          potemkin_ai
          wrote on last edited by
          #4

          and a final piece:

          The remote SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak.

          The following client-to-server Message Authentication Code (MAC) algorithms
          are supported :

          hmac-sha1-96

          1 Reply Last reply
          0
          • necrevistonnezrN Offline
            necrevistonnezrN Offline
            necrevistonnezr
            wrote on last edited by necrevistonnezr
            #5

            https://docs.cloudron.io/security/#securing-ssh-access

            If you use SSH Keys (EdDSA, not RSA!) as per recommendation (although the basic server config is out of Cloudron’s purview) this doesn‘t really matter, I believe….

            1 Reply Last reply
            1
            • girishG Offline
              girishG Offline
              girish
              Staff
              wrote on last edited by
              #6

              @potemkin_ai you are free to edit the SSH config as you like. We rely on the default SSHD config (this , in turn comes from your VPS provider and Ubuntu images).

              potemkin_aiP 1 Reply Last reply
              0
              • girishG girish

                @potemkin_ai you are free to edit the SSH config as you like. We rely on the default SSHD config (this , in turn comes from your VPS provider and Ubuntu images).

                potemkin_aiP Offline
                potemkin_aiP Offline
                potemkin_ai
                wrote on last edited by
                #7

                @girish yeah, I know.

                I wonder why across many similarly configured boxes with the same base ubuntu with the same base sshd only cloudron enabled boxes have that issue.

                And since across multiple boxes with the same base os and configs only cloudron produce that kind of message I reported it here.

                1 Reply Last reply
                0
                • girishG Offline
                  girishG Offline
                  girish
                  Staff
                  wrote on last edited by
                  #8

                  @potemkin_ai do you see any change in sshd configs between them? We only add a single comment to sshd.

                  potemkin_aiP 1 Reply Last reply
                  0
                  • girishG girish

                    @potemkin_ai do you see any change in sshd configs between them? We only add a single comment to sshd.

                    potemkin_aiP Offline
                    potemkin_aiP Offline
                    potemkin_ai
                    wrote on last edited by
                    #9

                    @girish nop. I also checked that, but there are no differences in the configs (apart from the port number)

                    1 Reply Last reply
                    0
                    • girishG Offline
                      girishG Offline
                      girish
                      Staff
                      wrote on last edited by
                      #10

                      @potemkin_ai Is there a way I can run these tests myself?

                      potemkin_aiP 1 Reply Last reply
                      1
                      • girishG girish

                        @potemkin_ai Is there a way I can run these tests myself?

                        potemkin_aiP Offline
                        potemkin_aiP Offline
                        potemkin_ai
                        wrote on last edited by
                        #11

                        @girish sure - just run Nessus full security scan against your server.

                        girishG 1 Reply Last reply
                        1
                        • potemkin_aiP potemkin_ai

                          @girish sure - just run Nessus full security scan against your server.

                          girishG Offline
                          girishG Offline
                          girish
                          Staff
                          wrote on last edited by
                          #12

                          @potemkin_ai No idea what that is. Do you have a link? Is it an online service or something to download ? Also, have you tried asking them about the discrepancy ? If ssh configs are the same, what else could be different?

                          potemkin_aiP 1 Reply Last reply
                          0
                          • girishG girish

                            @potemkin_ai No idea what that is. Do you have a link? Is it an online service or something to download ? Also, have you tried asking them about the discrepancy ? If ssh configs are the same, what else could be different?

                            potemkin_aiP Offline
                            potemkin_aiP Offline
                            potemkin_ai
                            wrote on last edited by
                            #13

                            @girish Nessus is a very old security scanner: https://nessus.org/

                            No ideas, to be honest... that's why I thought to raise it to you.

                            1 Reply Last reply
                            0
                            Reply
                            • Reply as topic
                            Log in to reply
                            • Oldest to Newest
                            • Newest to Oldest
                            • Most Votes


                            • Login

                            • Don't have an account? Register

                            • Login or register to search.
                            • First post
                              Last post
                            0
                            • Categories
                            • Recent
                            • Tags
                            • Popular
                            • Bookmarks
                            • Search