CBC and Arcfour based ciphers are considered no longer secure. Please follow the steps to remove them from the ssh server
# vi /etc/ssh/shh_config
Replace #Ciphers line with: Ciphers aes128-ctr,aes192-ctr,aes256-ctr
Replace #MACs line with: MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160
- Save the file
Note there will no longer be a # in front of Cyphers and MACs.
# vi /etc/ssh/shhd_config
Look for the line "# Ciphers and keying" and "#RekeyLimit default none"
Below "#RekeyLimit default none" add:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160
- Save the file
Restart sshd service
# systemctl restart sshd
To Test Weak Ciphers is no longer allowed :
# ssh -vv -oCiphers=aes128-cbc,3des-cbc,blowfish-cbc,aes256-arcfour,arcfour256,arcfour128 {target machine-ip}
To Check Current Allowed Ciphers on your localhost
# sshd -T | grep "\(ciphers\|macs\)"
No comments:
Post a Comment