New Question
 
 
PRTG Network Monitor

Intuitive to Use.
Easy to manage.

300.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free PRTG
Download >>

 

What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

 

Top Tags


View all Tags


Is it possible to update KEX algorithms used by the SFTP sensor?

Votes:

0

Your Vote:

Up

Down

Hello, Due to some known vulnerabilities with various weak ciphers and algorithms, we have removed them from our FTP software today, but this had the side effect of breaking our SFTP sensors. Are you perhaps using an older OpenSSH library than our FTP software? Ours uses OpenSSH 8.1.0.0. Do you have any way for us to add more cipher options to this sensor? For now, we have had to re-enable a weak KEX cipher to make the sensor work again, but this is not a long term fix. I find it troubling that you support older, weak Diffie-Hellman KEX algorithms, but not newer, secure ones. It might give someone the impression that your company doesn't care about security. =)

Details:

Failed to connect. Please check the SSH log of the target device or try the Compatibility Mode of the sensor's SSH engine and consider updating the target system's operating system. Reason: ssh_connect failed (-1)kex error : no match for method kex algos: server [ diffie-hellman-group16-sha512, diffie-hellman-group14-sha256, diffie-hellman-group-exchange-sha256], client [ [email protected], ecdh-sha2-nistp256, diffie-hellman-group1-sha1, diffie-hellman-group14-sha1]

We are using PRTG 20.3.61.1649+ I didn't see anything in the patch notes about updated KEX algorithms, so I didn't update yet. Let me know if there is an undocumented change on this perhaps.

kex prtg sftp

Created on Nov 18, 2020 11:00:41 PM by  Peter Bollwerk (80) 1 1



3 Replies

Votes:

0

Your Vote:

Up

Down

Hi there,

Please let me know which certain vulnerabilities are covered with your new ciphers? In this way, I can reach out to our developers to receive more information.

Created on Nov 19, 2020 11:17:34 AM by  Moritz Heller [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Hello, I'm not sure I understand your response. Anything with SHA1 is regarded as insecure. PRTG currently only seems to have these KEX algorithms available: [email protected], ecdh-sha2-nistp256, diffie-hellman-group1-sha1, diffie-hellman-group14-sha1

Our FTP software from Globalscape (EFT) does not have support for these two: [email protected], ecdh-sha2-nistp256,

So, after we disabled the two SHA1 KEX algorithms, the SFTP sensor fails, because there is no common KEX algorithm between the client and server.

What I am asking is if PRTG can ADD the more secure versions of the diffie-hellman KEX algorithms: diffie-hellman-group16-sha512, diffie-hellman-group14-sha256, diffie-hellman-group-exchange-sha256

Created on Nov 19, 2020 5:25:00 PM by  Peter Bollwerk (80) 1 1



Votes:

0

Your Vote:

Up

Down

Hi Peter,

I forwarded your question to our development an received additional feedback. At the moment, we don't use the latest version of openssh. Therefore, the error occurs. In addition, we are not able to enable another cipher set for this Sensor, I'm sorry.

Created on Nov 23, 2020 9:32:29 AM by  Moritz Heller [Paessler Support]



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.