SSH
Having recently setup OpenVAS (something I will likely blog about in further detail soon) I have found out that the default out of box deployment of Aruba-OS (formally ProCurve) supports a number of insecure SSH Algorithms with messages similar to the ones below logged even when running the latest firmware releases (YA.16.03.0004 on the 2530 series).
SSH Weak Encryption Algorithms Supported
The remote SSH server is configured to allow weak encryption algorithms.
and
SSH Weak MAC Algorithms Supported
The remote SSH server is configured to allow weak MD5 and/or 96-bit MAC algorithms.
To secure the switch simply run the following commands while logged into the switch
config
no ip ssh cipher aes128-cbc
no ip ssh cipher 3des-cbc
no ip ssh cipher aes192-cbc
no ip ssh cipher aes256-cbc
no ip ssh cipher rijndael-cbc@lysator.liu.se
no ip ssh cipher aes128-ctr
no ip ssh cipher aes192-ctr
no ip ssh mac hmac-md5
no ip ssh mac hmac-sha1-96
no ip ssh mac hmac-md5-96
write memory
Ever wanted to jump right into a SSH session from an item that you’ve seen in the PRTG Enterprise Console? By setting up a Device Tool its all too easy to do by just clicking on the device and pressing a function key on your keyboard.
Note that the Device Tool feature of the Enterprise Console can be used for a lot more than just setting up SSH sessions; for example I have modified the out of the box RDP connection to have a set height and width of the window or you could configure another new Device Tool to start a remote PowerShell session from a key press.
Either way here’s how to set it up for SSH…