[Nessus] SSH Diffie-Hellman Modulus 1024 Bits (Logjam)
Enviado: 17 Fev 2016 20:42
Description
The remote SSH server allows connections with one or more Diffie-Hellman moduli less than or equal to 1024 bits.
Through cryptanalysis, a third party can find the shared secret in a short amount of time (depending on modulus size and attacker resources).
This allows an attacker to recover the plaintext or potentially violate the integrity of connections.
Solution
Reconfigure the service to use a unique Diffie-Hellman moduli of 2048 bits or greater.
Válido somente para CentOS e Red Hat Linux versões 6 e 7
Versão 5 não recebeu suporte a este incidente, recomendação é upgrade de versão do SO
https://access.redhat.com/articles/1456263
Resolução do problema base CentOS / Red Hat Linux
Editar: /etc/ssh/sshd_config e adicionar:
The remote SSH server allows connections with one or more Diffie-Hellman moduli less than or equal to 1024 bits.
Through cryptanalysis, a third party can find the shared secret in a short amount of time (depending on modulus size and attacker resources).
This allows an attacker to recover the plaintext or potentially violate the integrity of connections.
Solution
Reconfigure the service to use a unique Diffie-Hellman moduli of 2048 bits or greater.
Válido somente para CentOS e Red Hat Linux versões 6 e 7
Versão 5 não recebeu suporte a este incidente, recomendação é upgrade de versão do SO
https://access.redhat.com/articles/1456263
Resolução do problema base CentOS / Red Hat Linux
Código: Selecionar todos
cp /etc/ssh/moduli /etc/ssh/moduli.backup
awk '$5 > 2000' /etc/ssh/moduli > /usr/src/moduli
mv /usr/src/moduli /etc/ssh/moduliCódigo: Selecionar todos
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256Código: Selecionar todos
/etc/init.d/sshd reload
/etc/init.d/sshd restart