Ciphers
Specifies the ciphers allowed. Multiple ciphers must be comma-separated. If the specified value begins with a '+' characters, then the specified ciphers will be appended to the default set instead of replacing them.
The supported ciphers are:
3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com aes256-gcm@openssh.com arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc chacha20-poly1305@openssh.com
The defaults is:
chacha20-poly1305@openssh.com, aes128-ctr,aes192-ctr,aes256-ctr, aes128-gcm@openssh.com,aes256-gcm@openssh.com, aes128-cbc,aes192-cbc,aes256-cbc, blowfish-cbc,cast128-cbc,3des-cbc
In order to disable the cbc , arcfour ciphers please update /etc/ssh/sshd_config with Ciphers that are required exception the cbc, arcfour ciphers.
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
This line allows only AES-based ciphers with counter mode (CTR), which are considered stronger than week algorithms like MD5.
Restart the sshd service after the changes have been made.
service sshd restart
MACs
MACs specifies the available MAC (message authentication code) algorithms. The MAC algorithms is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated. If the specified value begin with a '+' character, then specified algorithms will be appended to the default set instead of replacing them.
The algorithms that contain “-etm" calculate the MAC after encryption (encrypt-then-mac). These are considered safer and their use recommended. The supported MACs are:
hmac-md5 hmac-md5-96 hmac-ripemd160 hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac-sha2-512 umac-64@openssh.com umac-128@openssh.com hmac-md5-etm@openssh.com hmac-md5-96-etm@openssh.com hmac-ripemd160-etm@openssh.com hmac-sha1-etm@openssh.com hmac-sha1-96-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com umac-64-etm@openssh.com umac-128-etm@openssh.com
The default is:
umac-64-etm@openssh.com,umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com,umac-128@openssh.com, hmac-sha2-256,hmac-sha2-512,hmac-sha1, hmac-sha1-etm@openssh.com
In order to disable the week MAC algorithms, update /etc/ssh/sshd_config with the MACs that are required for example:
MACs hmac-sha2-256,hmac-sha2-512
This line allows only HMAC-SHA2 algorithms with a 256-bit and 512-bit hash functions, respectively. These algorithms are consider stronger than 96-bit MAC algorithms.
Restart the sshd service after the changes have been made.
service sshd restart
KexAlgorithms
KexAlgorithms defines the key exchange algorithms allowed by the SSH server. If the specified value begins with '+' character, then the specified key exchange algorithms will be appended to the default set instead of replacing them.
The default key exchange algorithms:
ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group-exchange-sha256 diffie-hellman-group-exchange-sha1 diffie-hellman-group14-sha1 diffie-hellman-group1-sha1
Modify the line to remove any week MAC algorithms. For example:
KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256
This line allows only the Diffie-Hellman key exchange algorithms with SHA256 for better security.
Restart the sshd service after the changes have been made.
service sshd restart