Archive for May, 2017

CentOS – disable ciphers in openssh

I used the following procedure to disable the weak ciphers enabled in openssh on CentOS 7:

You could probably guess where you this should be configured, but one of the challenges can be getting of complete list of what is supported.

Get a list of supported ciphers:

# ssh -Q cipher

To disable one or more, you need to explicitly specify the ciphers you do want to use. For example, arcfour:

# vi /etc/ssh/sshd_config

Ciphers 3des-cbc,blowfish-cbc,cast128-cbc,aes128-cbc,aes192-cbc,aes256-cbc,,aes128-ctr,aes192-ctr,aes256-ctr,,,

And then, restart sshd:

# systemctl restart sshd

And check:

$ ssh -c arcfour localhost
no matching cipher found: client arcfour server 3des-cbc,blowfish-cbc,cast128-cbc,aes128-cbc,aes192-cbc,aes256-cbc,,aes128-ctr,aes192-ctr,aes256-ctr,,,

Remotely enable RDP.

Download psexec.exe to run commands remotely on the remote machine.
See Windows 10 note at the end of this post.

Once installed, run psexec to bring up a command prompt on the remote machine:
C:\Tools> psexec \\remotecomputer cmd

Turn off the firewall:
C:\Windows\system32> netsh advfirewall set currentprofile state off
Default Profiles: AllProfiles, CurrentProfile, DomainProfile, PrivateProfile, or PublicProfile.

Create a rule to allow Remote Desktop through the firewall:
C:\Windows\system32> netsh advfirewall firewall set rule group=”Remote Desktop Access” new enable=Yes

These netsh commands will return an “Ok!” when successful.

Next ensure that the “Remote Registry” service is started, so you can modify the registry to enable Remote Desktop:
C:\Windows\system32> net start “Remote Registry”

Then, from your local machine open regedit and select File/Connect Network Registry…
Enter the name or I.P. address of the remote machine.
Once connected, navigate to “REMOTEMACHINE\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server”
Then, double click fDenyTSConnections and change it from a 1 to a 0.

Then, back on your psexec session restart the “Remote Desktop Services” service:
C:\Windows\system32> net stop “Remote Desktop Services”
C:\Windows\system32> net start “Remote Desktop Services”

Now, you should be able to connect, and still connect after rebooting if you set the “Remote Desktop Services” service to Automatic so it starts at boot.

Windows 10 note:
You can also use REG.EXE to edit the registry from your PSEXEC.EXE session. This worked well for Windows 10 without needing to enable Remote Administration:
C:\Windows\system32> REG ADD “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f

Return top