SSH Server CBC Mode Ciphers - SSH Weak Algorithms

posted Jun 3, 2019, 8:32 AM by Andrew Chadick   [ updated Feb 8, 2021, 4:36 PM ]

You may have had a security scan of your web server, and found the results of a weak algorithm with your SSH "Cipher Block Chain" Mode Ciphers - See Wikipedia for details.

  1. SSH Server CBC Mode Ciphers Enabled
  2. SSH Weak MAC Algorithms Enabled

The default /etc/ssh/sshd_config file may contain lines similar to the ones below:

  1. # default is aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
  2. # aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
  3. # aes256-cbc,arcfour
  4. # default is hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96

To disable CBC mode ciphers and weak MAC algorithms, add the following lines into the:

nano  /etc/ssh/sshd_config

  1. Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128
  2. MACs hmac-sha1,,hmac-ripemd160

Restart after you have made these changes.

SSH -Q cipher
sudo systemctl status sshd
ls -la ~/.ssh