使用tenable nessus工具掃描的時候,提示ssh的端口存在低風險(low vulnerability):SSH Server CBC Mode Ciphers Enabled。
解決步驟:
在機器上先直接 man sshd_config(最好查看英文文檔,如果系統使用其他語言,建議命令是 LANG=en_US.utf8 man sshd_config), 然后在Ciphers那節能看到關於加密算法的一些說明,如下:
Ciphers
Specifies the ciphers allowed. Multiple ciphers must be comma-separated. If the specified value begins with a ‘+’ charac‐
ter, then the specified ciphers will be appended to the default set instead of replacing them.
The supported ciphers are:
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
arcfour
arcfour128
arcfour256
blowfish-cbc
cast128-cbc
chacha20-poly1305@openssh.com
The default is:
chacha20-poly1305@openssh.com,
aes128-ctr,aes192-ctr,aes256-ctr,
aes128-gcm@openssh.com,aes256-gcm@openssh.com,
aes128-cbc,aes192-cbc,aes256-cbc,
blowfish-cbc,cast128-cbc,3des-cbc
The list of available ciphers may also be obtained using "ssh -Q cipher". (即supported ciphers)
將上面默認的算法中("The default is:"下面列出的算法)帶-cbc后綴的去掉,然后將剩下的算法組成用逗號分隔的一行,前面加上Ciphers
關鍵字,如下所示:
Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
檢查/etc/ssh/sshd_config
如 grep -i ciphers /etc/ssh/sshd_config
應該只有被注釋的一行 # Ciphers and keying
然后將上面的Ciphers ... 那行添加到/etc/ssh/sshd_config文件的末尾,然后重啟sshd服務(systemctl restart sshd),然后重新掃描的低風險點就消除了。