Last active
October 17, 2015 01:49
-
-
Save clyang/1a11fc914467a29240d9 to your computer and use it in GitHub Desktop.
貼心小提醒, 強化ssh設定來避開Logjam攻擊
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| *** Nginx / Apache / IIS / Tomcat / Postfix / Sendmail / Dovecot / HAProxy使用者請參考 https://weakdh.org/sysadmin.html *** | |
| *** 這邊有現成的tool可以掃 .. https://github.com/GDSSecurity/SSH-Weak-DH *** | |
| 這兩天很紅的weak DH的Logjam攻擊也是會影響到ssh key exchange的, 最簡單的解法就是強迫自己的client不用prime-field Diffie-Hellman的key exchange algorithm. | |
| 在 .ssh/config 中加上下面設定即可: | |
| Host * | |
| KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256 # 如果你要連到很古老的機器, 那可以多加一個 diffie-hellman-group14-sha1 | |
| 自己有server也可以在 /etc/ssh/config中加上 `KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256` 然後restart ssh server | |
| Windows user使用putty的話, 請把 `Diffie-Hellman group exchange` 跟 `Diffie-Hellman group 1` 移到 `— warn below here —` 下方, Make sure `group 14` 是在最上方! http://marc.terrier.free.fr/docputty/PuTTY-Configuration-XP-Kex.png |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment