PCI Vulnerability - Logjam - SSH

[SJR]

Recent PCI scan is failing due to:

"The remote host allows SSH connections with one or more Diffie-Hellman moduli less than or equal to 1024 bits."

Vulnerability:
"The SSH server is vulnerable to the Logjam attack because : It supports diffie-hellman-group1-sha1 key exchange."

Solution:
"Reconfigure the service to use a unique Diffie-Hellman moduli of 2048 bits or greater."

I need help on how to resolve this issue. I need to keep SSH access.

Any thoughts?

Thanks much.

 

[rpvw]

See if this helps

Hello,

Here's a response from one of our technical analysts on a recent support ticket regarding this vulnerability:

I would recommend, at a minimum, upgrading to Apache 2.4. It appears that by default, Apache 2.4.7 and above do not serve Diffie-Hellman parameters smaller than 2048 bits:

mod_ssl - Apache HTTP Server Version 2.4

Additionally, you could also generate the custom Diffie-Hellman parameters and provide them directly to OpenSSL globally by adding the directive suggested by the Logjam site you linked to:

SSLOpenSSLConfCmd DHParameters "{path to dhparams.pem}"

in one of the Apache includes, which can be edited through WHM:

Include Editor - Documentation - cPanel Documentation


Thank you.

 

[SJR]

Thank you rpvw. I am currently using the latest version, apache 2.4.27 but I 'think' your suggestion controls SSL, not the SSH service.

 

[rpvw]

Not my suggestion - just what is in the thread entitled Logjam vulnerability

 

[cPanelMichael]

Hello,

The following third-party URL should help:

On OpenSSH and Logjam – Technology & Policy – Jethro Beekman

Thank you.