Hello all, so a scan was done on some Linux servers and it was found they had weak ssh encryption algorithms.

I had to disable/remove the weak cyphers and update even stronger cyphers.

STEP1: see the current cyphers in use by the ssh

sudo sshd -T | grep ciphers | perl -pe 's/,/\n/g' | sort -u

STEP2: cd to this location  /etc/ssh/sshd_config  and  hard code the below in the file

ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

STEP3 (Optional): you also instruct clients to make use of strong encryption by doing cd /etc/ssh/ssh_config  and adding the below code

Host *
    ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

NOTE: you may not need to  add Host *  just check if one has already been made and just drop the second line somewhere below it.

STEP3: Restart ssh server to update your changes 

systemctl reload sshd

You can run the code in step 2 again to confirm your changes has been applied.

If you are in doubt if your ssh support stronger cyphers you can run the below code to determine the option available for you.

ssh -Q cipher | sort -u

What are my Bases for the recommendations?

1. Cyphers in CBC mode leads to some potential vulnerabilities;
2. Blowfish, IDEA, and CAST128 are not bad ciphers per se, but they have a 64-bit block size. This means the key must be reseeded periodically. 3DES additionally, due to a meet-in-the-middle attack, has its effective security reduced from 168 bits to 112 bits.

Happy Remediation.

I agree that my data (incl. my anonymized IP address) gets stored!

Comment

Currently there are no comments, so be the first!