I am trying to get a clean bill of health on a new server from our Rapid7 scans.
Right now I am getting the following notifications:
Disable any MD5 or 96-bit HMAC algorithms within the SSH configuration
Insecure MAC algorithms in use: hmac-sha1-etm@openssh.com,hmac-sha1
Sure enough when I check it shows hmac-sha1 and hmac-sha1-etm@openssh.com are both in use.
[root@xxxxxxxxxxx sshd_config.d]# ssh -Q mac
hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
hmac-md5
hmac-md5-96
umac-64@openssh.com
umac-128@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha1-96-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
hmac-md5-etm@openssh.com
hmac-md5-96-etm@openssh.com
umac-64-etm@openssh.com
umac-128-etm@openssh.com
This is a new Alma 9.2 server. It is running OpenSSH_8.7p1, OpenSSL 3.0.7 1 Nov 2022.
I added a line to a couple files. These are included from the /etc/ssh/ssh_config and /etc/ssh/sshd_config files.
/etc/ssh/ssh_config.d/70-rapid7.conf
MACs -md5,-hmac-sha1,hmac-sha1-96,hmac-sha1-96,hmac-sha2-256,hmac-sha2-512,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com
/etc/ssh/sshd_config.d/70-rapid7.conf
MACs -md5,-hmac-sha1,hmac-sha1-96,hmac-sha1-96,hmac-sha2-256,hmac-sha2-512,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com
There is a leading dash on the first two entries to specifically exclude them. Yet it is still being included somehow.
Any thoughts are welcome.
Thanks folks.