Hello,
The ciphers being used by your SRX are completely configurable as noted by Steve above. Which ciphers are available are based on which Junos version your device is running.
E.g
[edit]
root@SRX# set system services ssh ciphers ?
Possible completions:
3des-cbc Triple DES in CBC mode
aes128-cbc 128-bit AES with Cipher Block Chaining
aes128-ctr 128-bit AES with Counter Mode
aes128-gcm@openssh.com 128-bit AES with Galois/Counter Mode
aes192-cbc 192-bit AES with Cipher Block Chaining
aes192-ctr 192-bit AES with Counter Mode
aes256-cbc 256-bit AES with Cipher Block Chaining
aes256-ctr 256-bit AES with Counter Mode
aes256-gcm@openssh.com 256-bit AES with Galois/Counter Mode
arcfour 128-bit RC4 with Cipher Block Chaining
arcfour128 128-bit RC4 with Cipher Block Chaining
arcfour256 256-bit RC4 with Cipher Block Chaining
blowfish-cbc 128-bit Blowfish with Cipher Block Chaining
cast128-cbc 128-bit CAST with Cipher Block Chaining
chacha20-poly1305@openssh.com ChaCha20 stream cipher and Poly1305 MAC
------------------------------
Craig Dods
------------------------------
Original Message:
Sent: 03-29-2021 06:07
From: Unknown User
Subject: disable SSH weak algorithm supported - SRX650
Thank you.
If I want to know, whether the SRX650 is using Arcfour ciper or not, how can I check it through cli? OR Is it just configured by default as soon as the ssh service is configured in the SRX650?
Original Message:
Sent: 03-29-2021 05:26
From: STEVE PULUKA
Subject: disable SSH weak algorithm supported - SRX650
You can configure which ssh parameters are allowed. The instructions are here.
https://www.juniper.net/documentation/en_US/junos-cc19.1/topics/reference/general/Routers/19.1r2/19.1r2-mx-104-cc-guide/configuring-ssh-console-cc-mx-104.html
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Original Message:
Sent: 03-29-2021 00:15
From: Unknown User
Subject: disable SSH weak algorithm supported - SRX650
HI,
The Nessus security scan is detected that the remote SSH server is configured to use the Arcfour stream cipher or no cipher at all. RFC 4253 advises against using Arcfour due to an issue with weak keys.
Solution
Contact the vendor or consult product documentation to remove the weak ciphers.
See Also
RFC 4253 - The Secure Shell (SSH) Transport Layer Protocol
Any idea how to remove the weak ciphers and configure the more secure cipher algorithms for SRX650 and EX2200 devices?
Thank you.