8 February 2018

SSH - Remove SSH weak ciphers

CBC and Arcfour based ciphers are considered no longer secure. Please follow the steps to remove them from the ssh server

# vi /etc/ssh/shh_config
Replace #Ciphers line with: Ciphers aes128-ctr,aes192-ctr,aes256-ctr
Replace #MACs line with: MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160
- Save the file

Note there will no longer be a # in front of Cyphers and MACs.

# vi /etc/ssh/shhd_config
Look for the line "# Ciphers and keying" and "#RekeyLimit default none"
Below "#RekeyLimit default none" add:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160
- Save the file

Restart sshd service
# systemctl restart sshd


To Test Weak Ciphers is no longer allowed :
# ssh -vv -oCiphers=aes128-cbc,3des-cbc,blowfish-cbc,aes256-arcfour,arcfour256,arcfour128 {target machine-ip}


To Check Current Allowed Ciphers on your localhost 
# sshd -T | grep "\(ciphers\|macs\)"

-
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

APACHE - failed to start

[On] Red Hat Enterprise Linux Server release 7.4 (Maipo) Apache was not running and attempt to start the httpd service failed. The natural t...