How to Disable Weak Encryption Ciphers in SSH ?
Posted: Mon Sep 16, 2019 12:19 pm
Solution:
Some of the Vulnerability Scanners(Nessus) may show below Server-to-Client or Client-To-server encryption Ciphers as vulnerable:
arcfour
arcfour128
arcfour256
The Default configuration of SSH Server doesn't have restrictions on any Ciphers.
Default Allowed Ciphers are listed below which includes "arcfour,arcfour128,arcfour256" as well.
Inorder to remove any of the Weak Ciphers, we need to add a option in SSH Server Configuration(i.e /etc/ssh/sshd_config).
We Will have to modify the "sshd_config" file and add all the Strong Ciphers manually and remove Weak Ciphers like "arcfour,arcfour128,arcfour256".
#Add this Strong Ciphers to your sshd_config file.
And do a SSH service restart and verify ciphers.
/etc/init.d/ssh restart
Verification:
Inorder to test which all Ciphers are supported by the SSH Server you can use the command "sshd".
Below "sshd" command will help you display the list of all Supported Ciphers.
You can use a handy command "nmap" and check the Ciphers from client machines using below command.
Some of the Vulnerability Scanners(Nessus) may show below Server-to-Client or Client-To-server encryption Ciphers as vulnerable:
arcfour
arcfour128
arcfour256
The Default configuration of SSH Server doesn't have restrictions on any Ciphers.
Default Allowed Ciphers are listed below which includes "arcfour,arcfour128,arcfour256" as well.
Code: Select all
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfourWe Will have to modify the "sshd_config" file and add all the Strong Ciphers manually and remove Weak Ciphers like "arcfour,arcfour128,arcfour256".
#Add this Strong Ciphers to your sshd_config file.
Code: Select all
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc/etc/init.d/ssh restart
Verification:
Inorder to test which all Ciphers are supported by the SSH Server you can use the command "sshd".
Below "sshd" command will help you display the list of all Supported Ciphers.
Code: Select all
sshd -T | grep -i "ciphers"Code: Select all
nmap --script ssh2-enum-algos -sV -p <port> <ip address>