How to Disable SSH Weak ciphers vulnerability for Brocade SAN Switch


You may have run a security scan and find out your system is effected  "SSH Weak Algorithms Supported" vulnerability. So the weak ciphers algorithms, "arcfour,arcfour128,arcfour256" are  not trusted algorithms  anymore. You should follow these steps to disable untrusted ciphers if  it's  not possible to upgrade  SAN Switch firmware.

Step 1: Check Brocade  SAN Switch supported ciphers
 

#ssh -vvv root@<SAN_Switch_IP>


You will observe which ciphers used while trying to make an encrypted connection.

SSH Client supported ciphers
debug1: Applying options for *
debug3: cipher ok: aes128-ctr [aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc]
debug3: cipher ok: aes192-ctr [aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc]
debug3: cipher ok: aes256-ctr [aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc]
debug3: cipher ok: aes128-cbc [aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc]
debug3: cipher ok: 3des-cbc [aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc]
debug3: cipher ok: blowfish-cbc [aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc]
debug3: cipher ok: cast128-cbc [aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc]
debug3: cipher ok: aes192-cbc [aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc]
debug3: cipher ok: aes256-cbc [aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc]
debug3: ciphers ok: [aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc]

SSH Server Supported Ciphers;
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc
debug2: kex_parse_kexinit: hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96
debug2: kex_parse_kexinit: hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib

Which algorithms will be used show as on this step:
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug2: mac_setup: found hmac-sha1
debug1: kex: client->server aes128-ctr hmac-sha1 none

Step 2: Connect Brocade SAN Switch with "root" account

#ssh  root@<SAN_Switch_IP>

Step 3: Take a backup of ssh configuration
 

#cp /etc/sshd_config /etc/sshd_config_ciphers_change

Step 4: Add new ciphers set to the config file

#echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc" >> /etc/sshd_config

Step 5: Restart SSH service
 

#sh /etc/init.d/sshd stop
#sh /etc/init.d/sshd start


*In some of the cases, your connection will be dropped after the SSH stop attempt. Wait for a while then try to connect the server again.

Step 6: Check  new ciphers

#ssh -vvv root@<SAN_Switch_IP>

 

 

 

 

 

I'm a IT Infrastructure and Operations Architect with extensive experience and administration skills and works for Interbank Card Center Of Turkey(BKM). I provide hardware and software support for the IT Infrastructure and Operations tasks.

198 Total Posts
Follow Me

Related Post

0 Comments

Leave a Reply