Security

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  disable SSH weak algorithm supported - SRX650

    Posted 03-29-2021 00:15
    HI,

    The Nessus security scan is detected that the remote SSH server is configured to use the Arcfour stream cipher or no cipher at all. RFC 4253 advises against using Arcfour due to an issue with weak keys.
    Solution
    Contact the vendor or consult product documentation to remove the weak ciphers.
    See Also
    RFC 4253 - The Secure Shell (SSH) Transport Layer Protocol


    Any idea how to remove the weak ciphers and configure the more secure cipher algorithms for SRX650 and EX2200 devices? 

    Thank you.


  • 2.  RE: disable SSH weak algorithm supported - SRX650

     
    Posted 03-29-2021 05:26
    You can configure which ssh parameters are allowed.  The instructions are here.

    https://www.juniper.net/documentation/en_US/junos-cc19.1/topics/reference/general/Routers/19.1r2/19.1r2-mx-104-cc-guide/configuring-ssh-console-cc-mx-104.html

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: disable SSH weak algorithm supported - SRX650

    Posted 03-29-2021 06:07
    Thank you. 

    If I want to know, whether the SRX650 is using  Arcfour ciper or not, how can I check it through cli? OR Is it just configured by default as soon as the ssh service is configured in the SRX650?


  • 4.  RE: disable SSH weak algorithm supported - SRX650

    Posted 03-30-2021 09:55

    Hello,

    The ciphers being used by your SRX are completely configurable as noted by Steve above. Which ciphers are available are based on which Junos version your device is running. 

    E.g

    [edit]
    root@SRX# set system services ssh ciphers ?
    Possible completions:
      3des-cbc             Triple DES in CBC mode
      aes128-cbc           128-bit AES with Cipher Block Chaining
      aes128-ctr           128-bit AES with Counter Mode
      aes128-gcm@openssh.com  128-bit AES with Galois/Counter Mode
      aes192-cbc           192-bit AES with Cipher Block Chaining
      aes192-ctr           192-bit AES with Counter Mode
      aes256-cbc           256-bit AES with Cipher Block Chaining
      aes256-ctr           256-bit AES with Counter Mode
      aes256-gcm@openssh.com  256-bit AES with Galois/Counter Mode
      arcfour              128-bit RC4 with Cipher Block Chaining
      arcfour128           128-bit RC4 with Cipher Block Chaining
      arcfour256           256-bit RC4 with Cipher Block Chaining
      blowfish-cbc         128-bit Blowfish with Cipher Block Chaining
      cast128-cbc          128-bit CAST with Cipher Block Chaining
      chacha20-poly1305@openssh.com  ChaCha20 stream cipher and Poly1305 MAC


    ------------------------------
    Craig Dods
    ------------------------------



  • 5.  RE: disable SSH weak algorithm supported - SRX650

    Posted 04-15-2021 00:28
    Thanks, Craig.


  • 6.  RE: disable SSH weak algorithm supported - SRX650

     
    Posted 03-31-2021 05:53
    By default all options are available, then once you start selecting in configuration only those added are permitted.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 7.  RE: disable SSH weak algorithm supported - SRX650

    Posted 04-15-2021 00:28
    Thank you.