Hello,
We host a static Gatsby website for a customer who has reported vulnerability which was found during a security scan.
Reported vulnerability details below:
Title: SSH Dheat attack vulnerability
Synopsis: SSH server is vulnerable to denial of service vulnerability
Description: [CVE-2002-20001] The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)ater attack. The client needs very little CPU resources and network bandwidth.
Solution: Disabling the Diffie-Hellman key exchange algorithms in the application server configurations mitigates the vulnerability. Using application server-specific rate limitation techniques or rate-limiting suspicious clients by their addresses (e.g. Fail2Ban) can effectively reduce the risk of a successful attack.
Findings: Vulnerable Diffie-Hellman KEXs supported by the server:
* Diffie-hellman-group-exchange-sha256
* diffie-hellman-group16-sha512
* diffie-hellman-group18-sha512
* diffie-hellman-group14-sha256
Port: 22/tcp
Site name: alexandria-cms-prod.netlify.app
Any ideas/suggestions regarding this issue? Can it be resolved?