How to disable Weak Cipher, insecure HMAC and Key Exchange Algorithms in SSH servers of CentOS/RHEL 6
Ciphers
Specifies the ciphers allowed. Multiple ciphers must be comma-separated. If the specified value begins with a '+' characters, then the specified ciphers will be appended to the default set instead of replacing them.
The supported ciphers are:
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
arcfour
arcfour128
arcfour256
blowfish-cbc
cast128-cbc
chacha20-poly1305@openssh.comThe defaults is:
chacha20-poly1305@openssh.com,
aes128-ctr,aes192-ctr,aes256-ctr,
aes128-gcm@openssh.com,aes256-gcm@openssh.com,
aes128-cbc,aes192-cbc,aes256-cbc,
blowfish-cbc,cast128-cbc,3des-cbcIn order to disable the cbc , arcfour ciphers please update /etc/ssh/sshd_config with Ciphers that are required exception the cbc, arcfour ciphers.
Ciphers aes256-ctr,aes192-ctr,aes128-ctrThis line allows only AES-based ciphers with counter mode (CTR), which are considered stronger than week algorithms like MD5.
Restart the sshd service after the changes have been made.
service sshd restartMACs
MACs specifies the available MAC (message authentication code) algorithms. The MAC algorithms is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated. If the specified value begin with a '+' character, then specified algorithms will be appended to the default set instead of replacing them.
The algorithms that contain “-etm" calculate the MAC after encryption (encrypt-then-mac). These are considered safer and their use recommended. The supported MACs are:
hmac-md5
hmac-md5-96
hmac-ripemd160
hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
umac-64@openssh.com
umac-128@openssh.com
hmac-md5-etm@openssh.com
hmac-md5-96-etm@openssh.com
hmac-ripemd160-etm@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha1-96-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
umac-64-etm@openssh.com
umac-128-etm@openssh.comThe default is:
umac-64-etm@openssh.com,umac-128-etm@openssh.com,
hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
hmac-sha1-etm@openssh.com,
umac-64@openssh.com,umac-128@openssh.com,
hmac-sha2-256,hmac-sha2-512,hmac-sha1,
hmac-sha1-etm@openssh.comIn order to disable the week MAC algorithms, update /etc/ssh/sshd_config with the MACs that are required for example:
MACs hmac-sha2-256,hmac-sha2-512This line allows only HMAC-SHA2 algorithms with a 256-bit and 512-bit hash functions, respectively. These algorithms are consider stronger than 96-bit MAC algorithms.
Restart the sshd service after the changes have been made.
service sshd restartKexAlgorithms
KexAlgorithms defines the key exchange algorithms allowed by the SSH server. If the specified value begins with '+' character, then the specified key exchange algorithms will be appended to the default set instead of replacing them.
The default key exchange algorithms:
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
diffie-hellman-group-exchange-sha256
diffie-hellman-group-exchange-sha1
diffie-hellman-group14-sha1
diffie-hellman-group1-sha1Modify the line to remove any week MAC algorithms. For example:
KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256This line allows only the Diffie-Hellman key exchange algorithms with SHA256 for better security.
Restart the sshd service after the changes have been made.
service sshd restart
© DataCore Software Corporation. · https://www.datacore.com · All rights reserved.