I recently installed an OpenVAS/Greenbone vulnerability scanner to check my environment since the price was right and I currently don’t have a budget for it. One thing that I’ve been noticing on all of my linux systems (SLES 11 SP4) is that they all have a warning to disable weak ciphers for SSH. I can’t for the life of me figure out what I am doing wrong to disable them. I’m following all of the instructions that I find to the letter but the weak ciphers keep showing up. I hate to mark it as a straight up “False Positive” since that interferes with the OpenVAS/Greenbone scoring system. Here is what I’m doing…
My first try was to edit the /etc/ssh/sshd_conf file and add the following line to remove the weak Arcfour ciphers:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc
I restarted the sshd service a couple of times and even restarted the system. When I ssh -Q cipher I continue to get the following:
3des-cbc
blowfish-cbc
cast128-cbc
arcfour
arcfour128
arcfour256
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
chacha20-poly1305@openssh.com
So after a number of other things and trying more stuff I decided to try Yast and edit the SSHD Configuration. Under Supported Ciphers the list contained and I removed arcfour, arcfour128, and arcfour256. Again after restarting the sshd and server itself, the ssh -Q cipher displays the same list as above.
If I run a ssh -T | grep ciphers I get the following:
ciphers 3des-cbc,aes128-cbc,aes128-ctr,aes192-cbc,aes192-ctr,aes256-cbc,aes256-ctr,blowfish-cbc,cast128-cbc
Like I said, I hate to just write this off as a false positive since if I can find a fix that OpenVAS is happy with it will lower my score on all of the SLES systems, even though I’m still only in the Medium category, I’d like to get everything that I can to a low. Thanks for any direction that you can provide.