SSH ( Secure Shell ) is a protocol used to secure remote access to servers and other network devices. However, the default SSH configurations may include weak ciphers that pose security risks.
In this article we will see how to disable weak ciphers to secure remote access.
Understanding Weak Ciphers in SSH
Let’s first see what is Cipher in ssh to inderstand why wee need to disable weak ciphers.
Ciphers are algorithmes that are used to encrype communications between servers, so using outdated Ciphers may present a high vulnerability.
Step-by-Step Guide to Disable Weak Ciphers in SSH
Step 1 : Create a backup of the SSH configuration
It is recommended to create a backup so if any issues arise we can revert to the previous setting :
#cp /etc/ssh/sshd_config /etc/ssh/sshd_config_backup
Step 2: Edit the SSH configuration
Use vi command to edit the file :
#vi /etc/ssh/sshd_config
Step 3: Disable weak ciphers
Locate Ciphers line and remove any weak ciphers from the list :
Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,3des-cbc,aes128-cbc,aes192-cbc,blowfish-cbc,aes256-cbc,cast128-cbc
In my exmple I removed 3des-cbc and blowfish-cbc from tge list:
Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,cast128-cbc
Save and exite the file
Note that if you didn’t fine any Cipghers line you could just add it.
Step 4: restart sshd service
After disabling Weak Ciphers, restart sshd service :
[root@Linux ~]# systemctl restart sshd
Step 5 : Check SSH Connection
Now we need to check if weaks ciphers are not used anymore, to do that connect to the remote server with ssh with -vv paramter :
[root@Linux ~]# ssh -vv root@remote_server-IP
you get a loong output like this :
[root@ple35spacewalk ~]# ssh -vv ansible@172.16.3.1 OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 58: Applying options for * debug2: resolving "172.16.3.1" port 22 debug2: ssh_connect_direct: needpriv 0 debug1: Connecting to 172.16.3.1 [172.16.3.1] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: identity file /root/.ssh/id_rsa type 1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.4 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4 debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x0400 . . .
Locate Ciphers line, this line list all Ciphers that are used and should not list weak one. If so, that means everything is ok :
Check this article to see how to disable Weak SSH Key Exchange Algorithms
Comment vérifier la version d’apache
Erreur 404
Comment désactiver SElinux sur CentOS 7 et RHEL7
pgrep apprendre à l’utiliser avec des exemples
Fail2Ban : How to protect Linux services