Disable SSH Weak Key Exchange Algorithms
-
Nessus shows that my servers with Cloudron (and only those servers) installed has weak ssh key exchange algorithms enables:
The remote SSH server is configured to allow key exchange algorithms which are considered weak.
This is based on the IETF draft document Key Exchange (KEX) Method Updates and Recommendations for Secure Shell (SSH) draft-ietf-curdle-ssh-kex-sha2-20. Section 4 lists guidance on key exchange algorithms that SHOULD NOT and MUST NOT be enabled. This includes:
diffie-hellman-group-exchange-sha1
diffie-hellman-group1-sha1
gss-gex-sha1-*
gss-group1-sha1-*
gss-group14-sha1-*
rsa1024-sha1
Note that this plugin only checks for the options of the SSH server, and it does not check for vulnerable software versions.
See Also
http://www.nessus.org/u?b02d91cd
https://datatracker.ietf.org/doc/html/rfc8732From what I understood, cloudron only works with the port, but from numerous servers configured the same way from the same Ubuntu, only my servers with Cloudron got this issue.
-
Pardon, missed the key part:
The following weak key exchange algorithms are enabled :
diffie-hellman-group-exchange-sha1
rsa1024-sha1 -
And a few more ssh related configuration things:
The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to recover the plaintext message from the ciphertext.
The following server-to-client Cipher Block Chaining (CBC) algorithms
are supported :3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
cast128-cbc -
and a final piece:
The remote SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak.
The following client-to-server Message Authentication Code (MAC) algorithms
are supported :hmac-sha1-96
-
https://docs.cloudron.io/security/#securing-ssh-access
If you use SSH Keys (EdDSA, not RSA!) as per recommendation (although the basic server config is out of Cloudron’s purview) this doesn‘t really matter, I believe….
-
@potemkin_ai you are free to edit the SSH config as you like. We rely on the default SSHD config (this , in turn comes from your VPS provider and Ubuntu images).
@girish yeah, I know.
I wonder why across many similarly configured boxes with the same base ubuntu with the same base sshd only cloudron enabled boxes have that issue.
And since across multiple boxes with the same base os and configs only cloudron produce that kind of message I reported it here.
-
@potemkin_ai do you see any change in sshd configs between them? We only add a single comment to sshd.
@girish nop. I also checked that, but there are no differences in the configs (apart from the port number)
-
@potemkin_ai Is there a way I can run these tests myself?
-
@girish sure - just run Nessus full security scan against your server.
-
@potemkin_ai No idea what that is. Do you have a link? Is it an online service or something to download ? Also, have you tried asking them about the discrepancy ? If ssh configs are the same, what else could be different?
@girish Nessus is a very old security scanner: https://nessus.org/
No ideas, to be honest... that's why I thought to raise it to you.
