How to Disable Weak Encryption Ciphers in SSH ?

[umashankar]

Solution:

Some of the Vulnerability Scanners(Nessus) may show below Server-to-Client or Client-To-server encryption Ciphers as vulnerable:
arcfour
arcfour128
arcfour256

The Default configuration of SSH Server doesn't have restrictions on any Ciphers.
Default Allowed Ciphers are listed below which includes "arcfour,arcfour128,arcfour256" as well.

Code: Select all

aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour

Inorder to remove any of the Weak Ciphers, we need to add a option in SSH Server Configuration(i.e /etc/ssh/sshd_config).
We Will have to modify the "sshd_config" file and add all the Strong Ciphers manually and remove Weak Ciphers like "arcfour,arcfour128,arcfour256".

#Add this Strong Ciphers to your sshd_config file.

Code: Select all

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc

And do a SSH service restart and verify ciphers.
/etc/init.d/ssh restart

Verification:

Inorder to test which all Ciphers are supported by the SSH Server you can use the command "sshd".
Below "sshd" command will help you display the list of all Supported Ciphers.

Code: Select all

sshd -T | grep -i "ciphers"

You can use a handy command "nmap" and check the Ciphers from client machines using below command.

Code: Select all

nmap --script ssh2-enum-algos -sV -p <port> <ip address>