Page MenuHomePhabricator

Remove unsecure SSH algorithms on network devices
Closed, ResolvedPublic

Description

Forked from T167966

I've been playing with https://github.com/mozilla/ssh_scan on both servers and network devices.
It's possible to use different rules (modern/intermediate) depending on the OpenSSH version. Wich can also be tuned to ignore configuration items we can't do without (eg. keyboard-interactive for 2FA).
More details and guidelines on https://wiki.mozilla.org/Security/Guidelines/OpenSSH
Depending on that it outputs a grade and recommendations.

For network devices, I used mr1-ulsfo as a test host, here is the "before" scan, using the "intermediate" profile:

"compliance": {
  "policy": "Mozilla Intermediate",
  "compliant": false,
  "recommendations": [
    "Remove these key exchange algorithms: curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1",
    "Remove these MAC algorithms: hmac-md5-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-ripemd160-etm@openssh.com, hmac-sha1-96-etm@openssh.com, hmac-md5-96-etm@openssh.com, hmac-md5, hmac-sha1, umac-64@openssh.com, umac-128@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96",
    "Remove these encryption ciphers: arcfour256, arcfour128, chacha20-poly1305@openssh.com, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se",
    "Remove these authentication methods: password, keyboard-interactive"
  ],
  "references": [
    "https://wiki.mozilla.org/Security/Guidelines/OpenSSH"
  ],
  "grade": "F"
},

And after pushing the following changes:

set system services ssh macs [ hmac-sha2-256 hmac-sha2-512 ]
set system services ssh key-exchange [ group-exchange-sha2 ]
set system services ssh ciphers [ aes128-ctr aes192-ctr aes256-ctr ]
set system services ssh hostkey-algorithm no-ssh-dss

The output of the same scan:

"compliance": {
   "policy": "Mozilla Intermediate",
   "compliant": false,
   "recommendations": [
     "Remove these authentication methods: password, keyboard-interactive"
   ],
   "references": [
     "https://wiki.mozilla.org/Security/Guidelines/OpenSSH"
   ],
   "grade": "B"
 },

Creating a custom policy (allowing password and keyboard-interactive, as it's not possible to remove them) returns ""compliant": true, and "grade": "A".
I also confirmed that I can still properly SSH to the device.
You can also compare the output of https://sshcheck.com/server/mr1-ulsfo.wikimedia.org/22 with any other mr* router.

So I suggest we push that change to all the Juniper devices.

Event Timeline

ayounsi created this task.Jul 12 2017, 6:07 AM
Restricted Application added a project: Operations. · View Herald TranscriptJul 12 2017, 6:07 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
ayounsi moved this task from Backlog to Configuration on the netops board.Jul 12 2017, 7:18 PM

Mentioned in SAL (#wikimedia-operations) [2017-07-13T06:14:52Z] <XioNoX> restricting ssh algorithms on network devices - T170369

ayounsi closed this task as Resolved.Jul 13 2017, 6:51 AM

Pushed to all network devices. We can revisit the automated scans at a later date (or a common network/systems goal).