[漏洞修补]SSH Server CBC Mode Ciphers Enabled

1.nmap查看漏洞

nmap --script ssh2-enum-algos -sV -p 22 <目标IP>

[root@Test nessus]# nmap --script ssh2-enum-algos -sV -p 22 10.1.16.19
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-10 11:47 CST
Host is up (0.00015s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh2-enum-algos:
|   kex_algorithms: (12)
|       curve25519-sha256
|       curve25519-sha256@libssh.org
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       diffie-hellman-group-exchange-sha256
|       diffie-hellman-group16-sha512
|       diffie-hellman-group18-sha512

2. 漏洞修复

echo "Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com" >> /etc/ssh/sshd_config \
&& systemctl restart sshd

3. 检查漏洞

ssh -vv -oCiphers=aes128-cbc,3des-cbc,blowfish-cbc 10.1.16.19
Unable to negotiate with 10.1.16.19 port 22: no matching cipher found. Their offer: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

END