Hello, everyone!
Today, I'd like to share with you a knowledge point. The details are as follows:
SSH Weak Algorithm is found for the SSH server. The remote SSH server is configured to use Arcfour stream cipher.
Arcfour stream cipher is known to have a weak algorithm.
Solution:
Remove Arcfour stream cipher through SSH by using PuTTY.
1. Log in to the SUSE Linux or Solaris OS as the issuer user through SSH by using PuTTY.
2. Run the following command to access the directory /opt/oss/server/base_service/sysguard/resource.
$ cd /opt/oss/server/base_service/sysguard/resource
3. Run the following command to modify the list of weak security algorithms:
$ python modifyWeakCipherAlgList.pyc
The command output is as follows:
Start modify configured Weak algorithms ...... System environment is : linux All mac_algorithms: 1: hmac-md5-etm@openssh.com 2: hmac-sha1-etm@openssh.com 3: umac-64-etm@openssh.com 4: umac-128-etm@openssh.com
5: hmac-sha2-256-etm@openssh.com 6: hmac-sha2-512-etm@openssh.cometm@openssh.com 7: hmac-ripemd160-etm@openssh.com 8: hmac-sha1-96-etm@openssh.com 9: hmac-md5-96-etm@openssh.com 10: hmac-md5 11: hmac-sha1 12: umac-64@openssh.com 13: umac-128@openssh.com 14: hmac-sha2-256 15: hmac-sha2-512 16: hmac-ripemd160 17: hmac-ripemd160@openssh.com 18: hmac-sha1-96 19: hmac-md5-96 All cipher_algorithms: 1: aes128-cbc 2: 3des-cbc 3: blowfish-cbc 4: cast128-cbc 5: arcfour128 6: arcfour256 7: arcfour 8: aes192-cbc 9: aes256-cbc 10: rijndael-cbc@lysator.liu.se 11: aes128-ctr 12: aes192-ctr 13: aes256-ctr All kex_algorithms: 1: ecdh-sha2-nistp256 2: ecdh-sha2-nistp384 3: ecdh-sha2-nistp521 4: diffie-hellman-group-exchange-sha256 5: diffie-hellman-group-exchange-sha1 6: diffie-hellman-group14-sha1 7: diffie-hellman-group1-sha1 The currently configured weak mac_algorithms: 1: hmac-md5 2: hmac-md5-96 3: hmac-sha1-96 4: hmac-md5-etm@openssh.com 5: hmac-sha1-etm@openssh.com 6: hmac-md5-96-etm@openssh.com 7: hmac-sha1-96-etm@openssh.com The currently configured weak cipher_algorithms: 1: aes128-cbc 3: blowfish-cbc 2: 3des-cbc 5: arcfour128 4: cast128-cbc 6: arcfour256 8: aes192-cbc 9: aes256-cbc 10: rijndael-cbc@lysator.liu.se The currently configured weak kex_algorithms: 5: diffie-hellman-group-exchange-sha1 7: diffie-hellman-group1-sha1 Input Y or y to modify configured weak mac_algorithms, otherwise,exit the modification of weak mac_algorithms.
4. Enter Y or y and press Enter to modify the Arcfour stream cipher weak algorithms. The command output is as follows:
Please input numbers of cipher_algorithms separated by a ',' .For example: +11,+12,-13 '+' indicates that the specified algorithm will be added, '-' indicates that the specified algorithm will be removed :
(Enter the arcfour, arcfour128, arcfour256)
5. To clear the alarm in real-time, choose Administration > U2000 Guard from the main menu and click Check to clear the alarm.
Otherwise, the U2000 will automatically clear the alarm in the next check period.
The preceding process is simple. For details, see related documents.
I hope it will be helpful for you. Thank you!
