客户某天收到网安发来的漏洞整改。。
允许SSL中强度加密漏洞
修改对应监听端口的ssl_ciphers配置
1 2 3 4 5 6 7 http{ server{ .... ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:!ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:!DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";#使用给定的加密算法,前面带!的说明是不使用。 .... } }
可以使用nmap的ssl_enum_ciphers.nse脚本来快速检测。
1 nmap -p 443 --script ssl-enum-ciphers IP
SSH支持弱加密算法SSH Weak Algorithms Supported,SSH Server CBC Mode Ciphers Enabled 修复 SSH服务端默认使用了arcfour弱算法。
配置使用指定算法即可。
1 2 3 vim /etc/ssh/sshd_config Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc
脚本
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 #!/bin/bash echo '###SSH Weak Algorithms Supported Check###' if grep -q 'Ciphers aes128-ctr,aes192-ctr,aes256-ctr' /etc/ssh/sshd_configthen echo '' printf "###[SKIP]###" echo '' else sed -i '$a Ciphers aes128-ctr,aes192-ctr,aes256-ctr' /etc/ssh/sshd_config which systemctl >/dev/null if [ $? -eq 0 ];then systemctl restart sshd else service sshd restart fi printf "###[Done]###" fi 或者直接更新openssh到7.0以上,默认禁用弱算法
SSH支持弱MACs修复 手动修复
1 2 3 vim /etc/ssh/sshd_config MACs hmac-sha1,umac-64,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160
执行脚本修复
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 #!/bin/bash echo '###SSH Weak MAC Algorithms Check###' if grep -q 'MACs hmac-sha1,umac-64,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160' /etc/ssh/sshd_configthen echo '' printf "###[SKIP]###" echo '' else sed -i '$a MACs hmac-sha1,umac-64,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160' /etc/ssh/sshd_config which systemctl >/dev/null if [ $? -eq 0 ];then systemctl restart sshd else service sshd restart fi printf "###[Done?]###" fi
或者直接更新openssh到7.0以上,默认禁用弱算法