New Question
 
 
PRTG Network Monitor

Intuitive to Use.
Easy to manage.

200.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free PRTG
Download >>

 

What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

 

Top Tags


View all Tags


Which encryption algorithms does PRTG SSH sensors support

Votes:

0

Your Vote:

Up

Down

Upon doing a open-vas security scan on my servers I get the following security risk:

Summary

The remote SSH server is configured to allow weak encryption algorithms.

Vulnerability Detection Result

The following weak client-to-server encryption algorithms are supported by the remote service:

  • 3des-cbc
  • aes128-cbc
  • aes192-cbc
  • aes256-cbc
  • arcfour
  • arcfour128
  • arcfour256
  • blowfish-cbc
  • cast128-cbc
  • [email protected]

My sensors are currently in compatibility mode as they give error state in default.

SSH server version:

  • OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013

I found this:

Important note: PRTG includes a new SSH engine as of version 16.2.24 to provide best performance and security for your SSH sensors. Please consider this SSH engine as beta: it still does not support all OpenSSH libraries but we are working on it. If PRTG's new SSH engine does not yet work in your case, you can still use the old SSH engine as legacy version: select the Compatibility Mode for SSH Engine in the sensor or device settings. In this case, please consider the article below.

So back to my question, which encryption algorithms do the sensors support. Please specify for both default & compatibility mode so I can allow only the algorithms

compatibility disk-free meminfo openssh prtg

Created on Jan 27, 2017 12:49:54 PM by  arielvz (0) 1

Last change on Jan 23, 2018 1:45:24 PM by  Luciano Lingnau [Paessler Support]



1 Reply

Votes:

0

Your Vote:

Up

Down

Sorry for the delayed reply. Default mode supports:

Cipheraes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc
Machmac-sha2-512,hmac-sha2-256, hmac-sha1,none
Kex[email protected],ecdh-sha2-nistp256,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
Host Keysssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, ssh-dss,ssh-rsa

Compatibility mode is only listed for reference, since it's already deprecated and will be removed sooner or later:

Cipheraes192-cbc, aes256-cbc
Machmac-sha1
Kexdiffie-hellman-group1-sha1, diffie-hellman-group14-sha1
Host Keysssh-rsa, ssh-dss

Created on Feb 2, 2017 12:16:14 PM by  Stephan Linke [Paessler Support]



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.