IBM Support

QRadar: SSH fails with error "no matching cipher found"

Troubleshooting


Problem

The SSH connection does not have a matching cipher to use and denies communication between the hosts with the error "no matching cipher found."

Symptom

The System and License Management tabs show a managed host with status UNKNOWN.
The following image illustrates a managed host with status Unknown in system and license management tab:
Host with status unknown.

Cause

Diagnosing The Problem

  1. Use SSH to log in to the QRadar Console as the root user.

  2. Verify whether the console is able to SSH into the managed host with UNKNOWN status:

    ssh <managed host ip>

    Result
    If you get a response similar to the following, you have confirmed the issue with the communication is because of a mismatch in the SSH ciphers:

    Unable to negotiate with X.X.X.X port 22: no matching cipher found. Their offer: 3des-cbc

Resolving The Problem

To resolve the issue, administrator must set the right ciphers in the affected managed host by using the following steps:
  1. Use SSH to log in to the QRadar Console as the root user.

  2. Note the console ciphers from the SSH configuration:

    grep '^Ciphers' /etc/ssh/sshd_config
    Output example: 
    Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

  3. Connect to the managed host by using an out-of-band management approach. For example, IMM, XCC WebUI, or equivalent (KVM, iDRAC).
    Note: Integrated Management Module (IMM) is present only on QRadar® M3, M4, and M5 appliances. QRadar® M6 appliances use XClarity Controller (XCC) instead. 

  4. Verify whether the ciphers of the managed host are different than those on the console:

    grep '^Ciphers' /etc/ssh/sshd_config

    In the following example, the cipher is 3des-cbc, which was not listed on the console.

    Ciphers 3des-cbc

  5. Back up the SSH configuration of the managed host:

    cp /etc/ssh/sshd_config /root/sshd_config.backup

  6. Configure the right ciphers in the managed host:

    ciphers="<The ciphers of the console>"
sed -i "s/^Ciphers.*/$(echo $ciphers)/g" /etc/ssh/sshd_config;ciphers=""
    Example: 
    ciphers="Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr"
sed -i "s/^Ciphers.*/$(echo $ciphers)/g" /etc/ssh/sshd_config;ciphers=""

  7. Restart the SSH service in the managed host.

    systemctl restart sshd
Result
Administrator configured the correct ciphers in the managed host and is now able to SSH from the console to the managed host. For more information about SSH, see QRadar: About Secure Shell (SSH).

Related Information

QRadar: About Secure Shell (SSH)

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
31 May 2023

UID

ibm11033252

Page Feedback