How to Disable SSH weak Encryption Algorithm
Cyber Security February 19, 2021
Hello all, so a scan was done on some Linux servers and it was found they had weak ssh encryption algorithms.
I had to disable/remove the weak cyphers and update even stronger cyphers.
STEP1: see the current cyphers in use by the ssh
sudo sshd -T | grep ciphers | perl -pe 's/,/\n/g' | sort -u
STEP2: cd to this location /etc/ssh/sshd_config and hard code the below in the file
STEP3 (Optional): you also instruct clients to make use of strong encryption by doing cd /etc/ssh/ssh_config and adding the below code
Host * ciphers firstname.lastname@example.org,email@example.com,firstname.lastname@example.org,aes256-ctr,aes192-ctr,aes128-ctr
NOTE: you may not need to add Host * just check if one has already been made and just drop the second line somewhere below it.
STEP3: Restart ssh server to update your changes
systemctl reload sshd
You can run the code in step 2 again to confirm your changes has been applied.
If you are in doubt if your ssh support stronger cyphers you can run the below code to determine the option available for you.
ssh -Q cipher | sort -u
What are my Bases for the recommendations?
Information and Cyber Security Professional. All thoughts and opinions expressed here are my own, and may not be representative of my employer, or any other entity unless I am specifically quoting someone.