I conducted a vulnerability check of servers managed by Nessus.
As a result, a vulnerability was found in the configuration of the SSH server. The contents are as follows.
Description
Nessus has detected that the remote SSH server is configured to use the Arcfour stream cipheror no cipher at all. RFC 4253 advises against using Arcfour due to an issue with weak keys.
Nessus has detected that the remote SSH server is configured to use the Arcfour stream cipheror no cipher at all. RFC 4253 advises against using Arcfour due to an issue with weak keys.
Solution
Contact the vendor or consult product documentation to remove the weak ciphers.
See Also
https://tools.ietf.org/html/rfc4253#section-6.3
I made the following change of SSH service setting.
$ ssh -Q mac | awk 'BEGIN{printf "MACs "};(!/cbc/ && !/md/ && !/sha1/ && !/rc4/ && !/arcfour/){printf "%s,",$0};END{printf "\n"}' | sed -e 's/,$//g'
MACs hmac-sha2-256,hmac-sha2-512,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com
$ ssh -Q cipher | awk 'BEGIN{printf "Ciphers "};(!/cbc/&&!/rc4/&&!/arcfour/){printf "%s,",$0};END{printf "\n"}' | sed -e 's/,$//g'
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
The character string output by the command is reflected in the following file.
/etc/ssh/sshd_config
/etc/ssh/ssh_config
$ sudo service sshd restart
