To connect to remote computers, SSH is a standard protocol. Evidently, OpenSSH also has become a popular essential tool on Linux, BSD’s, OS X, and Windows. this below tutorial How to disable weak SSH ciphers in Linux
However, older OpenSSH installations may not support strong ciphers or protocols. As a result, new OpenSSH installations often enable relatively weak ciphers/protocols ensuring backward-compatibility with older clients.
Cipher is a set of procedures for performing encryption or decryption of data with SSH protocol.
The data transfer is dependable on Cipher set. By default, most server administrators always disable weak algorithms and only allow stronger ones. As a result, this leads to a mismatch in SSL ciphers in various servers.
How to disable weak SSH ciphers in Linux
Let’s now take a deep look into how our Engineers the weak algorithms. This can be done either at the server side or at the client-side.
Initially, we execute the following command within the system that we want to verify:
sshd -T | grep "\(ciphers\|macs\|kexalgorithms\)"
For example, the above command can show output as given below:
gssapikexalgorithms gss-gex-sha1-,gss-group1-sha1-,gss-group14-sha1- ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc macs hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 kexalgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
disable SSH weak
Ensuring some compliance is mandatory and fundamental in any organization that accepts, transmits or stores any cardholder data, regardless of the size or number of transactions. SSH-enabled access to critical systems and data is a vital factor in gaining and remaining compliant vendor.
so I have disable all diffie on /etc/ssh/sshd_config
At last, to make the changes effective in SSH, we restart sshd service
service sshd restart