Hello all, so a scan was done on some Linux servers and it was found they had weak ssh encryption algorithms.
I had to disable/remove the weak cyphers and update even stronger cyphers.
STEP1: see the current cyphers in use by the ssh
sudo sshd -T | grep ciphers | perl -pe 's/,/\n/g' | sort -u
STEP2: cd to this location /etc/ssh/sshd_config and hard code the below in the file
STEP3 (Optional): you also instruct clients to make use of strong encryption by doing cd /etc/ssh/ssh_config and adding the below code
Host * ciphers email@example.com,firstname.lastname@example.org,email@example.com,aes256-ctr,aes192-ctr,aes128-ctr
NOTE: you may not need to add Host * just check if one has already been made and just drop the second line somewhere below it.
STEP3: Restart ssh server to update your changes
systemctl reload sshd
You can run the code in step 2 again to confirm your changes has been applied.
If you are in doubt if your ssh support stronger cyphers you can run the below code to determine the option available for you.
ssh -Q cipher | sort -u
What are my Bases for the recommendations?
- Cyphers in CBC mode leads to some potential vulnerabilities;
- Blowfish, IDEA, and CAST128 are not bad ciphers per se, but they have a 64-bit block size. This means the key must be reseeded periodically. 3DES additionally, due to a meet-in-the-middle attack, has its effective security reduced from 168 bits to 112 bits.