How to Disable Weak Encryption Ciphers in SSH ?

This includes topics related to Hardening of SafeSquid Server like SSH Hardening, Fine tuning Kernel Security with sysctl for better Performance,Improving Network throughput using NIC Bonding.
India umashankar
Posts: 13
Joined: Wed Apr 24, 2019 7:18 am

How to Disable Weak Encryption Ciphers in SSH ?

Post by umashankar » Mon Sep 16, 2019 12:19 pm

Solution:

Some of the Vulnerability Scanners(Nessus) may show below Server-to-Client or Client-To-server encryption Ciphers as vulnerable:
arcfour
arcfour128
arcfour256

The Default configuration of SSH Server doesn't have restrictions on any Ciphers.
Default Allowed Ciphers are listed below which includes "arcfour,arcfour128,arcfour256" as well.

Code: Select all

aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour
Inorder to remove any of the Weak Ciphers, we need to add a option in SSH Server Configuration(i.e /etc/ssh/sshd_config).
We Will have to modify the "sshd_config" file and add all the Strong Ciphers manually and remove Weak Ciphers like "arcfour,arcfour128,arcfour256".

#Add this Strong Ciphers to your sshd_config file.

Code: Select all

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc
And do a SSH service restart and verify ciphers.
/etc/init.d/ssh restart

Verification:

Inorder to test which all Ciphers are supported by the SSH Server you can use the command "sshd".
Below "sshd" command will help you display the list of all Supported Ciphers.

Code: Select all

sshd -T | grep -i "ciphers"
You can use a handy command "nmap" and check the Ciphers from client machines using below command.

Code: Select all

nmap --script ssh2-enum-algos -sV -p <port> <ip address>