Change SSH negoiated ciphers to improve security
Change SSH negoiated ciphers to improve security
Currently the ssh sessions are being established using weak configurations such as hmac-md5 and CBC ciphers. How can I improve security by disabling this setting on the box and force the use of more secure ciphers such as AES and 3DES? I use the standard Nagios XI OVA based on VMware.
Re: Change SSH negoiated ciphers to improve security
There is not currently a feature that allows you to to choose a different type of encryption for terminal connections within the XI interface. You could, however, disable the terminal included in XI, then change the type of encryption used for your secure shell using whatever utilities exist natively in your operating system.
To disable the terminal...
Are you using the CentOS 7 OVA? If so, I believe you may want to perform something like the following steps to force certain ciphers.
1. Edit the configuration file
2. Restart SSH service.
Does that help? Please let me know if you have any more questions.
To disable the terminal...
from= https://support.nagios.com/forum/viewto ... =6&t=29894The link in the Nagios XI web interface is generated from the /usr/local/nagiosxi/html/admin/ajaxterm.php file, and the rest of the ajaxterm files are listed under /usr/local/nagios/share/ajaxterm. If you want to remove the functionality, then those files can either be deleted or moved to the /tmp directory for safekeeping. Bear in mind they will need to be removed again on any updates as our update script essentially re-installs all the core files.
Are you using the CentOS 7 OVA? If so, I believe you may want to perform something like the following steps to force certain ciphers.
1. Edit the configuration file
Code: Select all
vi /etc/ssh/shh_configCode: Select all
service sshd restartAs of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Be sure to check out our Knowledgebase for helpful articles and solutions!
Re: Change SSH negoiated ciphers to improve security
Hi jbrunkow,
this is the OVA I use, in fact I think you missed some commands, because I would like to know exactly what the modifications I need to do in sshd_config and ssh_config in order to use only strong ciphers and avoid the MD5 and CBC configured.
Thanks.
this is the OVA I use, in fact I think you missed some commands, because I would like to know exactly what the modifications I need to do in sshd_config and ssh_config in order to use only strong ciphers and avoid the MD5 and CBC configured.
Thanks.
Re: Change SSH negoiated ciphers to improve security
Yes, I left some commands out because how you edit your configuration file depends on what operating system you have and what ciphers your security team deems acceptable. Apparently, a cipher will have either MD5 or CBC in the name if it uses that type of encryption. I recommend that you confer with your security team about what ciphers they believe are sufficient, and therefore how to edit that file.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Be sure to check out our Knowledgebase for helpful articles and solutions!
Re: Change SSH negoiated ciphers to improve security
Thanks for the feedback, issue solved.
-
scottwilkerson
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: Change SSH negoiated ciphers to improve security
Great!rmazzei wrote:Thanks for the feedback, issue solved.
Locking thread