For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mate_132781's avatar
Mate_132781
Icon for Cirrostratus rankCirrostratus
Sep 10, 2015

Hi,

I have BIG-IP 11.6 and looks like that theese two commands (for MACs and ciphers) are mutually exclusive, for example, if I enter:

modify sys sshd include "MACs hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com"
save sys config partitions all
restart sys service sshd

Configuration of SSH deamon looks like:

    sys sshd {
        banner enabled
        banner-text "Any unauthorized access is strictly prohibited
    and will be prosecuted to the full extent of
    applicable local and international law.
    All access is monitored."
        inactivity-timeout 900
        include "MACs hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com"
        log-level verbose
}

If after that I enter: 

modify sys sshd include "Ciphers aes128-ctr,aes192-ctr,aes256-ctr"
save sys config partitions all
restart sys service sshd

Configuration looks like:

sys sshd {
    banner enabled
    banner-text "Any unauthorized access is strictly prohibited
and will be prosecuted to the full extent of
applicable local and international law.
All access is monitored."
    inactivity-timeout 900
    include "Ciphers aes128-ctr,aes192-ctr,aes256-ctr"
    log-level verbose
}

How can I change ciphers and MACs together, because I need to disable CBC encryption anf MD5 and 96-bit MAC algorithms?

refra_151287's avatar
refra_151287
Icon for Cirrus rankCirrus
Sep 15, 2015
Hi Mate, It's really what happened with me, but after doing the performing PenTest again, I found the changes happened, you can check that and feedback us.