CentOS 7 에서 OpenSSH 취약점 (취약한 알고리즘) 조치 방법
[ 취약한 알고리즘 ]
Running SSH serviceInsecure CBC ciphers in use: aes128-cbc,aes192-cbc,blowfish-cbc,cast128-cbc,aes256-cbc
Running SSH serviceInsecure 3DES ciphers in use: 3des-cbc
Running SSH serviceInsecure key exchange in use: diffie-hellman-group1-sha1
Running SSH serviceInsecure key exchange algorithms in use: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
Running SSH serviceInsecure MAC algorithms in use: umac-64-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,hmac-sha1
[ 현재 허용된 알고리즘 확인 ]
아래와 같은 명령어로 확인이 가능합니다.
(명령)
# sshd -T | grep "\(^ciphers\|^macs\|^kexalgorithms\)"
(결과)
ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
macs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
[ 설정 변경 및 적용 ]
설정 파일을 열어 아래 내용 삽입 (또는 수정) 후 sshd 데몬을 재시작 합니다.
기본 옵션으로 모두 허용되어 있으므로 위 출력 결과에서 사용하지 않을 알고리즘만 제거하고 입력하였습니다.
# vi /etc/ssh/sshd_config
ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
macs umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512
kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
# service sshd restart
[ 변경된 알고리즘 재확인 ]
(명령)
# sshd -T | grep "\(^ciphers\|^macs\|^kexalgorithms\)"
(결과)
ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
macs umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512
kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
'리눅스 > OS 일반' 카테고리의 다른 글
| 오류: repo 'appstream'의 메타 데이터를 다운로드하지 못했습니다: Cannot prepare internal mirrorlist: No URLs in mirrorlist (0) | 2022.04.12 |
|---|---|
| 리눅스 PC (Ubuntu 24.04) 보안 설정 (0) | 2022.04.04 |
| Ubuntu 18.10 싱글모드 (복구모드) 진입 & 계정 잠김 해제 (0) | 2022.03.17 |
| OpenSSL 업그레이드 (소스 설치 / 1.0.1k to 1.1.1o in CentOS 7) 및 APM 적용하기 (0) | 2021.12.07 |
| 지원 종료된 CentOS 6 저장소 (Repository) 변경하기 (0) | 2021.11.25 |
