CBC and Arcfour based ciphers are considered no longer secure. Please follow the steps to remove them from the ssh server
# vi /etc/ssh/shh_config
Replace #Ciphers line with: Ciphers aes128-ctr,aes192-ctr,aes256-ctr
Replace #MACs line with: MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160
- Save the file
Note there will no longer be a # in front of Cyphers and MACs.
# vi /etc/ssh/shhd_config
Look for the line "# Ciphers and keying" and "#RekeyLimit default none"
Below "#RekeyLimit default none" add:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160
- Save the file
Restart sshd service
# systemctl restart sshd
To Test Weak Ciphers is no longer allowed :
# ssh -vv -oCiphers=aes128-cbc,3des-cbc,blowfish-cbc,aes256-arcfour,arcfour256,arcfour128 {target machine-ip}
To Check Current Allowed Ciphers on your localhost
# sshd -T | grep "\(ciphers\|macs\)"
Subscribe to:
Post Comments (Atom)
Wordpress - Local installation in Vmware
If you're interested in exploring website design with WordPress, this guide will help you set up a WordPress instance on your local mach...
-
[Tested On] CentOS Linux release 7.4.1708 (Core) # wget https://ftp.postgresql.org/pub/source/v9.6.6/postgresql-9.6.6.tar.gz # tar xvzf post...
-
# openssl s_client -connect localhost:443
-
[Tested On] Red Hat Enterprise Linux Server release 7.4 (Maipo) Note: For Windows Server, please make sure telnet client is installed. # tel...
No comments:
Post a Comment