SRX

Expand all | Collapse all

Nessus scans, ssh "weak" ciphers

Jump to Best Answer
  • 1.  Nessus scans, ssh "weak" ciphers

    Posted 08-20-2019 14:58

    no matter what i do it still pops up this is what i have configued am i missing something?

     

    set system services ssh root-login deny

    set system services ssh protocol-version v2

    set system services ssh max-sessions-per-connection 32

    set system services ssh ciphers aes256-ctr

    set system services ssh macs hmac-sha2-256

    set system services ssh macs hmac-sha2-512

    set system services ssh key-exchange curve25519-sha256

    set system services ssh key-exchange ecdh-sha2-nistp256  

    set system services ssh key-exchange ecdh-sha2-nistp384   

    set system services ssh key-exchange ecdh-sha2-nistp521   

    set system services ssh key-exchange group-exchange-sha2



  • 2.  RE: Nessus scans, ssh "weak" ciphers

    Posted 08-20-2019 16:12

     Andrew,

     

    Does the report only say "weak ciphers being used" or provide more information about what the weak ciphers are?

     

    In a quick search I found the following ones that you have already configured:

     

    • diffie-hellman-group-exchange-sha256
    • hmac-sha2-512
    • hmac-sha2-256
    • aes256-ctr

    https://community.tenable.com/s/article/Which-SSH-Ciphers-are-supported-by-Nessus

     

    You can take a packet capture on your SRX interface when connecting via SSH and confirm if the SRX is indeed stating that it supports the reported weak cipher. (you could upload the pcap and we will help you)

     

    SRX Branch: https://kb.juniper.net/InfoCenter/index?page=content&id=kb11709

    SRX High end: https://kb.juniper.net/InfoCenter/index?page=content&id=KB21563&actp=METADATA

     



  • 3.  RE: Nessus scans, ssh "weak" ciphers

    Posted 08-21-2019 08:24

    Hello thank you for the reply 

     

    Nessus thinks arcfour (all of them 128,256 also) is still able to be used 



  • 4.  RE: Nessus scans, ssh "weak" ciphers
    Best Answer

     
    Posted 08-21-2019 08:36

    Hi, try the packet capture on the SRX to confirm is the SRX is replying to the SSH queries stating that it indeed supports arcfour.

     

    Maybe the SRX is not reporting support for arcfour but the Scan still tries to connect using arcfour?

     



  • 5.  RE: Nessus scans, ssh "weak" ciphers

    Posted 08-21-2019 09:09

    appently some of the config didn't take and now it seems to be working, just have to rescan now 



  • 6.  RE: Nessus scans, ssh "weak" ciphers

     
    Posted 08-21-2019 09:45

    Im glad the packet capture worked. Let us know if the scan results are fine now.

     



  • 7.  RE: Nessus scans, ssh "weak" ciphers

    Posted 08-21-2019 08:39

    ook a capture off our tapsthe encryption alg say is supports like every thing? the other stuff is only what i have set? 



  • 8.  RE: Nessus scans, ssh "weak" ciphers

    Posted 08-21-2019 08:47

    the packet from the SRX clearly shows arcfour in the "encyption algarythm server to client and client to server"