SSH Server CBC Mode Ciphers - SSH Weak Algorithms

Post date: Jun 03, 2019 3:32:39 PM

You may have had a security scan of your web server, and found the results of a weak algorithm with your SSH "Cipher Block Chain" Mode Ciphers - See Wikipedia for details.

  1. SSH Server CBC Mode Ciphers Enabled

  2. SSH Weak MAC Algorithms Enabled

The default /etc/ssh/sshd_config file may contain lines similar to the ones below:

  1. # default is aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,

  2. # aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,

  3. # aes256-cbc,arcfour


  4. # default is hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96

To disable CBC mode ciphers and weak MAC algorithms, add the following lines into the:

nano /etc/ssh/sshd_config

  1. Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128

  2. MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160

Restart after you have made these changes.

SSH -Q cipher

sudo systemctl status sshd

ls -la ~/.ssh