How to disable Weak Cipher, insecure HMAC and Key Exchange Algorithms in SSH servers of CentOS/RHEL 6

Ciphers

Specifies the ciphers allowed. Multiple ciphers must be comma-separated. If the specified value begins with a '+' characters, then the specified ciphers will be appended to the default set instead of replacing them.

The supported ciphers are:

3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com aes256-gcm@openssh.com arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc chacha20-poly1305@openssh.com

The defaults is:

chacha20-poly1305@openssh.com, aes128-ctr,aes192-ctr,aes256-ctr, aes128-gcm@openssh.com,aes256-gcm@openssh.com, aes128-cbc,aes192-cbc,aes256-cbc, blowfish-cbc,cast128-cbc,3des-cbc

In order to disable the cbc , arcfour ciphers please update /etc/ssh/sshd_config with Ciphers that are required exception the cbc, arcfour ciphers.

Ciphers aes256-ctr,aes192-ctr,aes128-ctr

This line allows only AES-based ciphers with counter mode (CTR), which are considered stronger than week algorithms like MD5.

Restart the sshd service after the changes have been made.

MACs

MACs specifies the available MAC (message authentication code) algorithms. The MAC algorithms is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated. If the specified value begin with a '+' character, then specified algorithms will be appended to the default set instead of replacing them.

The algorithms that contain “-etm" calculate the MAC after encryption (encrypt-then-mac). These are considered safer and their use recommended. The supported MACs are:

The default is:

In order to disable the week MAC algorithms, update /etc/ssh/sshd_config with the MACs that are required for example:

This line allows only HMAC-SHA2 algorithms with a 256-bit and 512-bit hash functions, respectively. These algorithms are consider stronger than 96-bit MAC algorithms.

Restart the sshd service after the changes have been made.

KexAlgorithms

KexAlgorithms defines the key exchange algorithms allowed by the SSH server. If the specified value begins with '+' character, then the specified key exchange algorithms will be appended to the default set instead of replacing them.

The default key exchange algorithms:

Modify the line to remove any week MAC algorithms. For example:

This line allows only the Diffie-Hellman key exchange algorithms with SHA256 for better security.

Restart the sshd service after the changes have been made.

 

 

 

 

© DataCore Software Corporation. · https://www.datacore.com · All rights reserved.