On our portal server the below need to be disabled/removed
(rec) -diffie-hellman-group1-sha1 -- kex algorithm to remove
(rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp256 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp384 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp521 -- kex algorithm to remove
(rec) -ecdsa-sha2-nistp256 -- key algorithm to remove
(rec) -3des-cbc -- enc algorithm to remove
(rec) -aes128-cbc -- enc algorithm to remove
(rec) -aes192-cbc -- enc algorithm to remove
(rec) -aes256-cbc -- enc algorithm to remove
Release : 5.1
Apply the appropriate steps mentioned in the below article:
https://www.ssh-audit.com/hardening_guides.html#rhel7
Details in case link changes:
Note: all commands below are to be executed as the root user.
Before started sshd
Need to modify the file directly and comment out the first Cipher list and update it as required
# vi /etc/ssh/sshd_config
# service sshd restart
# Per CCE-CCE-27295-5: Set Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc in /etc/ssh/sshd_config
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
Restart OpenSSH server
systemctl restart sshd.service
NOTE also recommended to run yum update
You can check ciphers currently used by your server with:
Before applying the step in the article:
Ciphers:
# sshd -T | grep ciphers | perl -pe 's/,/\n/g' | sort -u
/etc/ssh/sshd_config line 173: Deprecated option RhostsRSAAuthentication
3des-cbc
aes128-cbc
aes128-ctr
aes192-cbc
aes192-ctr
aes256-cbc
aes256-ctr
blowfish-cbc
cast128-cbc
ciphers [email protected]
mac:
sshd -T | grep mac | perl -pe 's/,/\n/g' | sort -u
/etc/ssh/sshd_config line 173: Deprecated option RhostsRSAAuthentication
hmac-sha1
hmac-sha2-256
hmac-sha2-512
macs [email protected]
kex:
bash-4.2# sshd -T | grep kex | perl -pe 's/,/\n/g' | sort -u
/etc/ssh/sshd_config line 173: Deprecated option RhostsRSAAuthentication
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group1-sha1
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
gssapikexalgorithms gss-gex-sha1-
gss-group14-sha1-
gss-group1-sha1-
kexalgorithms curve25519-sha256
Results after applying the hardening article: /etc/ssh/sshd_config
# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com
# hardening guide.
KexAlgorithms curve25519-sha256,[email protected],diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
MACs [email protected],[email protected],[email protected]
Cipher:
# sshd -T | grep ciphers | perl -pe 's/,/\n/g' | sort -u
/etc/ssh/sshd_config line 173: Deprecated option RhostsRSAAuthentication
aes128-ctr
aes192-ctr
aes256-ctr
ciphers [email protected]
mac:
# sshd -T | grep mac | perl -pe 's/,/\n/g' | sort -u
/etc/ssh/sshd_config line 173: Deprecated option RhostsRSAAuthentication
macs [email protected]
kex:
bash-4.2# sshd -T | grep kex | perl -pe 's/,/\n/g' | sort -u
/etc/ssh/sshd_config line 173: Deprecated option RhostsRSAAuthentication
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha256
gssapikexalgorithms gss-gex-sha1-
gss-group14-sha1-
gss-group1-sha1-
kexalgorithms curve25519-sha256
The article and test assume perl is installed
Perl is only used to put it in a fancy format, use these before and after implementing the hardening steps for centos 7
# sshd -T | grep kex
# sshd -T | grep mac
# sshd -T | grep cipher
The point is these commands shows schemes your client/server can support.
# ssh -Q kex
# ssh -Q cipher
# ssh -Q MAC
No matter what you change in the /etc/ssg/sshd_config the results so not change