Disable Weak Key Exchange Algorithm, CBC Mode in SSH

Backup /etc/sysconfig/sshd and /etc/ssh/sshd_config

cp /etc/sysconfig/sshd /etc/sysconfig/sshd.before
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.before

 

Edit /etc/sysconfig/sshd to uncomment the CRYPTO_POLICY setting

from:

# CRYPTO_POLICY=

to:

CRYPTO_POLICY=

 

Copy the following ciphers, MACs, and KexAlgorithms to /etc/ssh/sshd_config.

KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

 

Verify the configuration file before restarting the SSH server.

sshd -t

If there are no errors reported, then restart the SSHD service.

systemctl restart sshd

 

Test weak CBC ciphers by executing the below command.

ssh -vv -oCiphers=3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc
<server>

 

If successful, it will prompt for a password. This means weak ciphers are enabled.

If it fails, indicating cbc ciphers are disabled, you should receive a message like this:

Unable to negotiate with 10.30.11.11 port 22: no matching cipher found.
Their offer: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

 

To test if weak MAC algorithms are enabled, run the below command:

ssh -vv -oMACs=hmac-md5,hmac-md5-96,hmac-sha1,hmac-sha1-96,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,umac-64-etm@openssh.com <server>

 

debug1: kex: server->client cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
发表评论

相关文章