Description
After upgrading to 5.2.5 there are new ssh ciphers under /etc/ssh/sshd_config. Because of this, new clients are needed in order to utilize the new ciphers and allow for connection
Scope
FortiSIEM 5.2.5+
Solution
The new SSH Ciphers that we include in our system are:
#ciphers
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
MACs hmac-sha2-256,hmac-sha2-512
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
Please find out if your client supports these ciphers.
To verify the failure in connection:
1 - log into the supervisor / worker / collector node of fortisiem locally
2 - cd /var/log/
3 - review the "secure" log
You will see error logs where it states that there is no matching mac or cipher found:
Example log:
no matching mac found: client hmac-md5-96 server umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
Updating your ssh client will help to resolve this issue.
Workaround:
1 - log into the supervisor / worker / collector node of fortisiem locally
2 - cd /etc/ssh/sshd_config
3 - remove the following ciphers:
#ciphers
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
MACs hmac-sha2-256,hmac-sha2-512
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
NOTE: removing the ciphers will put you at risk, please note this before making the modification.
4 - save the config
5 - service sshd restart
6 - attempt to ssh into the fortiSIEM node remotely.