Hello all, so a scan was done on some Linux servers and it was found they had weak ssh encryption algorithms.
I had to disable/remove the weak cyphers and update even stronger cyphers.
STEP1: see the current cyphers in use by the ssh
sudo sshd -T | grep ciphers | perl -pe 's/,/\n/g' | sort -uSTEP2: cd to this location /etc/ssh/sshd_config and hard code the below in the file
ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctrSTEP3 (Optional): you also instruct clients to make use of strong encryption by doing cd /etc/ssh/ssh_config and adding the below code
Host *
ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctrNOTE: you may not need to add Host * just check if one has already been made and just drop the second line somewhere below it.
STEP3: Restart ssh server to update your changes
systemctl reload sshdYou can run the code in step 2 again to confirm your changes has been applied.
If you are in doubt if your ssh support stronger cyphers you can run the below code to determine the option available for you.
ssh -Q cipher | sort -uWhat are my Bases for the recommendations?
- Cyphers in CBC mode leads to some potential vulnerabilities;
- Blowfish, IDEA, and CAST128 are not bad ciphers per se, but they have a 64-bit block size. This means the key must be reseeded periodically. 3DES additionally, due to a meet-in-the-middle attack, has its effective security reduced from 168 bits to 112 bits.
Happy Remediation.
Onyejegbu John Ebuka
Information and Cyber Security Professional. All thoughts and opinions expressed here are my own, and may not be representative of my employer, or any other entity unless I am specifically quoting someone.
