我所关注的其中一台服务器未能通过PCI Compliance ASV扫描。
正在接受的警告是:
The SSH server running on the remote host is affected by an information disclosure vulnerability. According to its banner, the version of OpenSSH running on the remote host is prior to 7.5. It is, therefore, affected by an information disclosure vulnerability : - An unspecified timing flaw exists in the CBC padding oracle countermeasures, within the ssh and sshd functions, that allows an unauthenticated, remote attacker to disclose potentially sensitive information. Note that the OpenSSH client disables CBC ciphers by default. However, sshd offers them as lowest-preference options, which will be removed by default in a future release. (VulnDB 144000) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number. 打开SSH 7.4是稳定的Debian软件包中的当前版本。
据我所知,Debian经常支持安全修复,但为了获得“误报”,我必须向扫描公司提供一些证据。
任何人都可以build议在哪里/如何确认这一点?
正确的文本,它警告你,所有这一切是检查报告的版本。
您可以从服务器configuration中删除CBC密码,然后与他们共享该configuration。 这里有几个指南,选一个你认为值得信赖的指南。
我会留在Debian的稳定版本。 使用最新的服务器和客户端的默认行为有很高的安全可能性,但维护人员会慢慢仔细地去除与较老的密码的向后可比性。