Having recently setup OpenVAS (something I will likely blog about in further detail soon) I have found out that the default out of box deployment of Aruba-OS (formally ProCurve) supports a number of insecure SSH Algorithms with messages similar to the ones below logged even when running the latest firmware releases (YA.16.03.0004 on the 2530 series).
SSH Weak Encryption Algorithms Supported
The remote SSH server is configured to allow weak encryption algorithms.
SSH Weak MAC Algorithms Supported
The remote SSH server is configured to allow weak MD5 and/or 96-bit MAC algorithms.
To secure the switch simply run the following commands while logged into the switch
no ip ssh cipher aes128-cbc
no ip ssh cipher 3des-cbc
no ip ssh cipher aes192-cbc
no ip ssh cipher aes256-cbc
no ip ssh cipher firstname.lastname@example.org
no ip ssh cipher aes128-ctr
no ip ssh cipher aes192-ctr
no ip ssh mac hmac-md5
no ip ssh mac hmac-sha1-96
no ip ssh mac hmac-md5-96
It’s that magical time of the year where…new network switches arrive! Given that the new Aruba branding has taken full control of what was ProCurve I thought I should post some photos of the new paintwork. Happy to say the colour black isn’t half bad!
Included in the images are
- J9729A 2920-48G-PoE+
- J9728A 2920-48G
- J9731A 2920 2-Port 10Gbe SFP+ Module
- J9733A 2920 2-Port Stacking Module
- J9734A 2920 0.5m Stacking Cable