Weak SSH algorithms

Please post here if you have problems in using Wing FTP Server.

Weak SSH algorithms

Postby Ben_PDX » Tue Nov 08, 2016 9:15 pm

We are using Wing FTP version 4.7.8. We recently had a security audit that dinged us on some weak SSH algorithms. Specifically, they called out the Cipher Block Chaining (CBC) mode encryption algorithms:
- aes256-cbc
- aes192-cbc
- aes128-cbc
- blowfish-cvc
- 3des-cbc
- des-cbc-ssh1

The security audit also complained about:
- hmac-sha1

Is there any way to disable these weaker algorithms in Wing FTP?
Ben_PDX
 
posts 2
 
joined Tue Nov 08, 2016 9:12 pm

Re: Weak SSH algorithms

Postby FTP » Wed Nov 09, 2016 3:45 am

OK, please enable the option "Server -> Settings -> General Settings -> Enable FIPS 140-2 mode", then Wing FTP Server will use the algorithms which be approved by the FIPS group (only allows strong encryption ciphers).
FTP
Site Admin
 
posts 1514
 
joined Tue Sep 29, 2009 6:09 am

Re: Weak SSH algorithms

Postby Ben_PDX » Mon Dec 05, 2016 11:05 pm

I have the "Enable FIPS 140-2 Mode" checkbox checked, but I still see those weak ciphers.

If I run the command:

Code: Select all
nmap --script ssh2-enum-algos <servername> -p22


I get:

Code: Select all
PORT   STATE SERVICE
22/tcp open  ssh
| ssh2-enum-algos:
|   kex_algorithms (4)
|       curve25519-sha256@libssh.org" rel="nofollow" rel="nofollow
|       ecdh-sha2-nistp256
|       diffie-hellman-group14-sha1
|       diffie-hellman-group1-sha1
|   server_host_key_algorithms (1)
|       ssh-rsa
|   encryption_algorithms (9)
|       aes256-ctr
|       aes192-ctr
|       aes128-ctr
|       aes256-cbc
|       aes192-cbc
|       aes128-cbc
|       blowfish-cbc
|       3des-cbc
|       des-cbc-ssh1
|   mac_algorithms (3)
|       hmac-sha2-256
|       hmac-sha2-512
|       hmac-sha1
|   compression_algorithms (1)
|_      none
Ben_PDX
 
posts 2
 
joined Tue Nov 08, 2016 9:12 pm

Re: Weak SSH algorithms

Postby FTP » Tue Dec 06, 2016 3:47 am

OK, it is designed to be compatible with some SFTP client, and there is no need to worry about the SFTP security, because the stronger algorithm has higher priority, so your SFTP client will choose the strongest algorithm if it supports that algorithm.
FTP
Site Admin
 
posts 1514
 
joined Tue Sep 29, 2009 6:09 am

Re: Weak SSH algorithms

Postby drewcipher » Fri Aug 11, 2017 10:24 pm

For compliance, we need the weaker ciphers disabled. I understand the client may negotiate high but the risk is related to weaker ciphers being available. How can we remove / disable? It seems like the UI solution recommended here doesn't affect the actual cipher list.
drewcipher
 
posts 2
 
joined Wed Mar 16, 2016 1:08 am

Re: Weak SSH algorithms

Postby FTP » Sun Aug 13, 2017 4:14 pm

OK, you can specify the customized SFTP algorithms under "Server > Settings > General Settings > Security".
FTP
Site Admin
 
posts 1514
 
joined Tue Sep 29, 2009 6:09 am

Re: Weak SSH algorithms

Postby drewcipher » Mon Aug 14, 2017 10:14 pm

Hello FTP,

I believe we've done this. This is what we have listed in "Server > Settings > General Settings > Security > SFTP Encryption Algorithms" section:
aes256-ctr,aes192-ctr,aes128-ctr,des-cbc-ssh1

I restarted the services and the server but when I test, these are still available:
3des-cbc, aes128-cbc, aes192-cbc, aes256-cbc, blowfish-cbc

v4.9.2 on Windows Server 2012

Thanks in advance for your help.
drewcipher
 
posts 2
 
joined Wed Mar 16, 2016 1:08 am


Return to Support

Who is online

Users browsing this forum: No registered users and 3 guests