How to disable weak SSH ciphers in Linux

To connect to remote computers, SSH is a standard protocol. Evidently, OpenSSH also has become a popular essential tool on Linux, BSD’s, OS X, and Windows. this below tutorial How to disable weak SSH ciphers in Linux

However, older OpenSSH installations may not support strong ciphers or protocols. As a result, new OpenSSH installations often enable relatively weak ciphers/protocols ensuring backward-compatibility with older clients.

Cipher is a set of procedures for performing encryption or decryption of data with SSH protocol.

The data transfer is dependable on Cipher set. By default, most server administrators always disable weak algorithms and only allow stronger ones. As a result, this leads to a mismatch in SSL ciphers in various servers.

How to disable weak SSH ciphers in Linux

Let’s now take a deep look into how our Engineers the weak algorithms. This can be done either at the server side or at the client-side.
Initially, we execute the following command within the system that we want to verify:

sshd -T | grep "\(ciphers\|macs\|kexalgorithms\)"

For example, the above command can show output as given below:

gssapikexalgorithms gss-gex-sha1-,gss-group1-sha1-,gss-group14-sha1-
ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc
macs hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
kexalgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

disable SSH weak

Ensuring some compliance is mandatory and fundamental in any organization that accepts, transmits or stores any cardholder data, regardless of the size or number of transactions. SSH-enabled access to critical systems and data is a vital factor in gaining and remaining compliant vendor.

so I have disable all diffie on /etc/ssh/sshd_config

KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521

At last, to make the changes effective in SSH, we restart sshd service

service sshd restart

That’s it!

YOU CAN SUPPORT DEVNINJA WITH A CUP OF COFFEE

As we continue to grow, we would wish to reach and impact more people who visit and take advantage of the guides we have on our blog. This is a big task for us and we are so far extremely grateful for the kind people who have shown amazing support for our work over the time we have been online. to search or browse the published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or more ) as a token of appreciation.

How to disable weak SSH ciphers in Linux

How to disable weak SSH ciphers in Linux

disable SSH weak

YOU CAN SUPPORT DEVNINJA WITH A CUP OF COFFEE

How to Install Go Golang on CentOS 7 RHEL 7

How to Change SSH Port When Selinux is Enable on CentOS Linux 7

How to solve the problem “CHECK_NRPE: (ssl_err != 5) Error Nagios

LEAVE A REPLY Cancel reply

Most Popular

Argo CD server address unspecified

Install Helm on CentOS 7

How to Install Go Golang on CentOS 7 RHEL 7

vCenter Server SSH received disconnect Too many authentication failures

Recent Comments

EDITOR PICKS

How to Install an LetsEncrypt SSL Certificate on Zimbra Mail Server (UPDATE!)

Get Mailbox usage report Zimbra

POPULAR POSTS

Argo CD server address unspecified

Install Helm on CentOS 7

How To Recovery Losing ec2 KeyPair

POPULAR CATEGORY

ABOUT US

FOLLOW US