Nagios Support Forum

Currently the ssh sessions are being established using weak configurations such as hmac-md5 and CBC ciphers. How can I improve security by disabling this setting on the box and force the use of more secure ciphers such as AES and 3DES? I use the standard Nagios XI OVA based on VMware.

There is not currently a feature that allows you to to choose a different type of encryption for terminal connections within the XI interface. You could, however, disable the terminal included in XI, then change the type of encryption used for your secure shell using whatever utilities exist natively in your operating system.

To disable the terminal...

The link in the Nagios XI web interface is generated from the /usr/local/nagiosxi/html/admin/ajaxterm.php file, and the rest of the ajaxterm files are listed under /usr/local/nagios/share/ajaxterm. If you want to remove the functionality, then those files can either be deleted or moved to the /tmp directory for safekeeping. Bear in mind they will need to be removed again on any updates as our update script essentially re-installs all the core files.

from= https://support.nagios.com/forum/viewto ... =6&t=29894

Are you using the CentOS 7 OVA? If so, I believe you may want to perform something like the following steps to force certain ciphers.
1. Edit the configuration file 2. Restart SSH service. Does that help? Please let me know if you have any more questions.

Hi jbrunkow,

this is the OVA I use, in fact I think you missed some commands, because I would like to know exactly what the modifications I need to do in sshd_config and ssh_config in order to use only strong ciphers and avoid the MD5 and CBC configured.

Thanks.

Yes, I left some commands out because how you edit your configuration file depends on what operating system you have and what ciphers your security team deems acceptable. Apparently, a cipher will have either MD5 or CBC in the name if it uses that type of encryption. I recommend that you confer with your security team about what ciphers they believe are sufficient, and therefore how to edit that file.

Thanks for the feedback, issue solved.

rmazzei wrote:Thanks for the feedback, issue solved.

Great!

Locking thread