0%

SSL和SSH相关弱算法漏洞修复

客户某天收到网安发来的漏洞整改。。

允许SSL中强度加密漏洞

  • 中间件:Nginx

修改对应监听端口的ssl_ciphers配置

1
2
3
4
5
6
7
http{
server{
....
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:!ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:!DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";#使用给定的加密算法,前面带!的说明是不使用。
....
}
}

可以使用nmap的ssl_enum_ciphers.nse脚本来快速检测。

1
nmap -p 443 --script ssl-enum-ciphers IP

SSH支持弱加密算法SSH Weak Algorithms Supported,SSH Server CBC Mode Ciphers Enabled 修复

SSH服务端默认使用了arcfour弱算法。

配置使用指定算法即可。

1
2
3
vim /etc/ssh/sshd_config

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc

脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
#!/bin/bash

echo '###SSH Weak Algorithms Supported Check###'
if grep -q 'Ciphers aes128-ctr,aes192-ctr,aes256-ctr' /etc/ssh/sshd_config
then
echo ''
printf "###[SKIP]###"
echo ''
else
sed -i '$a Ciphers aes128-ctr,aes192-ctr,aes256-ctr' /etc/ssh/sshd_config
which systemctl >/dev/null
if [ $? -eq 0 ];then
systemctl restart sshd
else
service sshd restart
fi
printf "###[Done]###"
fi

或者直接更新openssh到7.0以上,默认禁用弱算法

SSH支持弱MACs修复

手动修复

1
2
3
vim /etc/ssh/sshd_config

MACs hmac-sha1,umac-64,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160

执行脚本修复

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#!/bin/bash

echo '###SSH Weak MAC Algorithms Check###'

if grep -q 'MACs hmac-sha1,umac-64,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160' /etc/ssh/sshd_config
then
echo ''
printf "###[SKIP]###"
echo ''
else
sed -i '$a MACs hmac-sha1,umac-64,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160' /etc/ssh/sshd_config
which systemctl >/dev/null
if [ $? -eq 0 ];then
systemctl restart sshd
else
service sshd restart
fi
printf "###[Done?]###"
fi

或者直接更新openssh到7.0以上,默认禁用弱算法