How to Disable SSH Weak ciphers vulnerability for Brocade SAN Switch

SettingsYou may have run a security scan and find out your system is effected  “SSH Weak Algorithms Supported” vulnerability. So the weak ciphers algorithms, “arcfour,arcfour128,arcfour256” are  not trusted algorithms  anymore. You should follow these steps to disable untrusted ciphers if  it’s  not possible to upgrade  SAN Switch firmware.

Step 1: Check Brocade  SAN Switch supported ciphers
#ssh -vvv root@<SAN_Switch_IP>
You will observe which ciphers used while try to make a encrypted connection.

SSH Client supported ciphers;
debug1: Applying options for *
debug3: cipher ok: aes128-ctr [aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc]
debug3: cipher ok: aes192-ctr [aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc]
debug3: cipher ok: aes256-ctr [aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc]
debug3: cipher ok: aes128-cbc [aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc]
debug3: cipher ok: 3des-cbc [aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc]
debug3: cipher ok: blowfish-cbc [aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc]
debug3: cipher ok: cast128-cbc [aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc]
debug3: cipher ok: aes192-cbc [aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc]
debug3: cipher ok: aes256-cbc [aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc]
debug3: ciphers ok: [aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc]

SSH Server Supported Ciphers;
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc
debug2: kex_parse_kexinit: hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96
debug2: kex_parse_kexinit: hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib

Which algorithms will be used show as on this step:
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug2: mac_setup: found hmac-sha1
debug1: kex: client->server aes128-ctr hmac-sha1 none

Step 2: Connect Brocade SAN Switch with “root” account

#ssh  root@<SAN_Switch_IP>

Step 3: Take a backup of ssh configuration
#cp /etc/sshd_config /etc/sshd_config_ciphers_change

Step 4: Add new ciphers set to config file
#echo “Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc” /etc/sshd_config

Step 5: Restart SSH service
#sh /etc/init.d/sshd stop
#sh /etc/init.d/sshd start
*In some of case, your connection will be dropped after SSH stop attempt. Wait for a while then try to connect server again.

Step 6: Check  new ciphers

#ssh -vvv root@<SAN_Switch_IP>

 

 

 

 

 

Follow me

Abdurrahim

I'm a System Engineer with extensive experience and administration skills and works for Interbank Card Center Of Turkey.I provide hardware and software support for the following Unix/Linux and Windows platforms.(Oracle Solaris,HP-UX, Linux, IBM-AIX, Windows Servers)
Follow me

Latest posts by Abdurrahim (see all)

facebooktwittergoogle_pluslinkedinby feather

0