How to Disable SSH Weak encryption Algorithm

How to Disable SSH weak Encryption Algorithm

 Cyber Security   February 19, 2021

How to Disable SSH Weak encryption Algorithm

Hello all, so a scan was done on some Linux servers and it was found they had weak ssh encryption algorithms.

I had to disable/remove the weak cyphers and update even stronger cyphers.

STEP1: see the current cyphers in use by the ssh

sudo sshd -T | grep ciphers | perl -pe 's/,/\n/g' | sort -u

STEP2: cd to this location  /etc/ssh/sshd_config  and  hard code the below in the file


STEP3 (Optional): you also instruct clients to make use of strong encryption by doing cd /etc/ssh/ssh_config  and adding the below code

Host *

NOTE: you may not need to  add Host *  just check if one has already been made and just drop the second line somewhere below it.

STEP3: Restart ssh server to update your changes 

systemctl reload sshd

You can run the code in step 2 again to confirm your changes has been applied.

If you are in doubt if your ssh support stronger cyphers you can run the below code to determine the option available for you.

ssh -Q cipher | sort -u

What are my Bases for the recommendations?

  1. Cyphers in CBC mode leads to some potential vulnerabilities;
  2. Blowfish, IDEA, and CAST128 are not bad ciphers per se, but they have a 64-bit block size. This means the key must be reseeded periodically. 3DES additionally, due to a meet-in-the-middle attack, has its effective security reduced from 168 bits to 112 bits.

Happy Remediation.

Copyright © 2021 John & Cyber Security . All Right Reserved.