Linux SSH的SSL弱加密算法漏洞修复
原创Linux SSH的SSL弱加密算法漏洞修复
原创
Power
发布于 2025-02-28 21:24:27
发布于 2025-02-28 21:24:27
代码可运行
运行总次数:0
代码可运行
Linux在做漏洞扫描时,会发现有个名为SSH Weak Encryption Algorithms Supporte的漏洞,这是因为ssh通信时默认使用的加密算法中有部分是不再安全的算法。如:arcfour,arcfour128,arcfour256等都是弱加密算法。
1、扫描Linux SSH默认使用的加密算法列表
[root@blogs-v2 ~]# yum install nmap -y
[root@blogs-v2 ~]# nmap --script 'ssh2*' 192.168.0.221
Starting Nmap 6.40 ( http://nmap.org ) at 2022-03-08 15:28 CST
Nmap scan report for 192.168.0.221
Host is up (0.0020s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
| ssh2-enum-algos:
| kex_algorithms (12)
| curve25519-sha256
| curve25519-sha256@libssh.org
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| diffie-hellman-group-exchange-sha256
| diffie-hellman-group16-sha512
| diffie-hellman-group18-sha512
| diffie-hellman-group-exchange-sha1
| diffie-hellman-group14-sha256
| diffie-hellman-group14-sha1
| diffie-hellman-group1-sha1
| server_host_key_algorithms (5)
| ssh-rsa
| rsa-sha2-512
| rsa-sha2-256
| ecdsa-sha2-nistp256
| ssh-ed25519
| encryption_algorithms (12) # 当前使用的SSH加密算法列表
| chacha20-poly1305@openssh.com
| aes128-ctr
| aes192-ctr
| aes256-ctr
| aes128-gcm@openssh.com
| aes256-gcm@openssh.com
| aes128-cbc
| aes192-cbc
| aes256-cbc
| blowfish-cbc
| cast128-cbc
| 3des-cbc
| mac_algorithms (10)
| umac-64-etm@openssh.com
| umac-128-etm@openssh.com
| hmac-sha2-256-etm@openssh.com
| hmac-sha2-512-etm@openssh.com
| hmac-sha1-etm@openssh.com
| umac-64@openssh.com
| umac-128@openssh.com
| hmac-sha2-256
| hmac-sha2-512
| hmac-sha1
| compression_algorithms (2)
| none
|_ zlib@openssh.com
111/tcp open rpcbind
Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds2、修改SSH通信默认加密算法
[root@192-168-0-221 ~]# vim /etc/ssh/sshd_config
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
Ciphers aes128-ctr,aes192-ctr,aes256-ctr # 显式指定ssh通讯时使用的加密算法
[root@192-168-0-221 ~]# systemctl restart sshd.service # 重启SSH服务注:ssh_config和sshd_config都是ssh服务器的配置文件,二者区别在于,前者是针对客户端的配置文件,后者则是针对服务端的配置文件。
3、SSH加密算法修改效果验证
[root@blogs-v2 ~]# nmap --script 'ssh2*' 192.168.0.221
Starting Nmap 6.40 ( http://nmap.org ) at 2022-03-08 15:43 CST
Nmap scan report for 192.168.0.221
Host is up (0.0022s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
| ssh2-enum-algos:
| kex_algorithms (12)
| curve25519-sha256
| curve25519-sha256@libssh.org
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| diffie-hellman-group-exchange-sha256
| diffie-hellman-group16-sha512
| diffie-hellman-group18-sha512
| diffie-hellman-group-exchange-sha1
| diffie-hellman-group14-sha256
| diffie-hellman-group14-sha1
| diffie-hellman-group1-sha1
| server_host_key_algorithms (5)
| ssh-rsa
| rsa-sha2-512
| rsa-sha2-256
| ecdsa-sha2-nistp256
| ssh-ed25519
| encryption_algorithms (3) # 可以看出,SSH通讯加密算法只剩刚才自定义的三个了,说明修改成功
| aes128-ctr
| aes192-ctr
| aes256-ctr
| mac_algorithms (10)
| umac-64-etm@openssh.com
| umac-128-etm@openssh.com
| hmac-sha2-256-etm@openssh.com
| hmac-sha2-512-etm@openssh.com
| hmac-sha1-etm@openssh.com
| umac-64@openssh.com
| umac-128@openssh.com
| hmac-sha2-256
| hmac-sha2-512
| hmac-sha1
| compression_algorithms (2)
| none
|_ zlib@openssh.com
111/tcp open rpcbind
Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
评论
登录后参与评论
推荐阅读
目录
腾讯云开发者
