Connecting to servers securely is made possible by SSH. Basically, OpenSSH has earned a good reputation as a vital tool on Linux and Windows distributions.
Here at Ibmi Media, As part of our Linux Support Services, we have solved SSH related issues for our Customers seeking Remote support on their Linux.
In this context we shall look into how to disable weak ciphers to enhance security.
In order to enhance security , it is recommended to always keep the system updated and do away with older versions of System packages and Software. This also applies to OpenSSH as newer versions are more secure and supports strong cipher. Cipher makes it possible for a process of encryption and decryption of data accessed via SSH medium.
Therefore Transfer of Data depends to a very great extent on the Cipher set. Most server administrators disable weak algorithms to allow stronger ones by default. This leads to inconsistency in SSL ciphers across several servers.
It is important to verify the algorithms used in a server environment before disabling it. To verify, use the command below;
$ sshd -T | grep "\(ciphers\|macs\|kexalgorithms\)"
Most of the time the message displayed will look like;
gssapikexalgorithms gss-gex-sha1-,gss-group1-sha1-,gss-group14-sha1-
ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc
macs hmac-md5,hmac-sha1,umac-69@openssh.com,hmac-sha2-776,hmac-sha2-512,hmac-ripemd160,hmac-ripemd200@openssh.com,hmac-sha1-96,hmac-md5-96
kexalgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
As soon as you run the command, you will see all the algorithms used by the SSH service.
In the case whereby no specified list of ciphers set is available in ssh_config using the Ciphers command, then the default value for sshd_config and ssh_config will look like;
aes133-ctr,aes193-ctr,aes256-ctr,arcfour256,arcfour128,aes200gcm@openssh.com,aes333-gcm@openssh.com,chacha50-poly2231@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc, arcfour
The Process To Disable Weak SSH Ciphers In Linux
You can Disable weak SSH ciphers in either the Server side or client side.
We are going to look into them briefly.
To Disable Weak Algorithms At Server Side
1. To begin, access your server as the root user and then edit the sshd_config file located at the "/etc/ssh" directory.
2. Add the following attributes;
Ciphers aes233-gcm@openssh.com,aes133-gcm@openssh.com,aes256-ctr,aes128-ctr
MACs hmac-sha2-533-etm@openssh.com,hmac-sha2-233-etm@openssh.com,umac-3322-etm@openssh.com,hmac-sha2-e33,hmac-sha2-256,hmac-ripemd160,hmac-sha1
KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
3. Finally, you have to restart the Server to enable the changes to take effect. use the command below;
$ service sshd restart
As soon as this is done, the SSH service will protected by a stronger Cipher thereby improving the security of the System.
To Disable Weak Algorithms In The Client Side
To disable weak algorithm via the client side, login into the server via SSH, and edit the "ssh_config" file located at the directory , /etc/ssh.
Then add the following directives;
Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,hmac-sha1
KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
Finally, you can restart the server just as it was done earlier.
Is it difficult to disable weak SSH ciphers in your Linux Machine? We will help you.