On our portal server the below need to be disabled/removed
(rec) -diffie-hellman-group1-sha1 -- kex algorithm to remove
(rec) -diffie-hellman-group-exchange-sha1 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp256 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp384 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp521 -- kex algorithm to remove
(rec) -ecdsa-sha2-nistp256 -- key algorithm to remove
(rec) -3des-cbc -- enc algorithm to remove
(rec) -aes128-cbc -- enc algorithm to remove
(rec) -aes192-cbc -- enc algorithm to remove
(rec) -aes256-cbc -- enc algorithm to remove
Release : 5.1
Apply the appropriate steps mentioned in the below article:
https://www.ssh-audit.com/hardening_guides.html#rhel7
Details in case link changes:
Note: all commands below are to be executed as the root user.
Before started sshd
Need to modify the file directly and comment out the first Cipher list and update it as required
# vi /etc/ssh/sshd_config
# service sshd restart
# Per CCE-CCE-27295-5: Set Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc in /etc/ssh/sshd_config
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
Restart OpenSSH server
systemctl restart sshd.service
NOTE also recommended to run yum update
You can check ciphers currently used by your server with:
Before applying the step in the article:
Ciphers:
# sshd -T | grep ciphers | perl -pe 's/,/\n/g' | sort -u
/etc/ssh/sshd_config line 173: Deprecated option RhostsRSAAuthentication
3des-cbc
aes128-cbc
aes128-ctr
aes128-gcm@openssh.com
aes192-cbc
aes192-ctr
aes256-cbc
aes256-ctr
aes256-gcm@openssh.com
blowfish-cbc
cast128-cbc
ciphers chacha20-poly1305@openssh.com
mac:
sshd -T | grep mac | perl -pe 's/,/\n/g' | sort -u
/etc/ssh/sshd_config line 173: Deprecated option RhostsRSAAuthentication
hmac-sha1
hmac-sha1-etm@openssh.com
hmac-sha2-256
hmac-sha2-256-etm@openssh.com
hmac-sha2-512
hmac-sha2-512-etm@openssh.com
macs umac-64-etm@openssh.com
umac-128-etm@openssh.com
umac-128@openssh.com
umac-64@openssh.com
kex:
bash-4.2# sshd -T | grep kex | perl -pe 's/,/\n/g' | sort -u
/etc/ssh/sshd_config line 173: Deprecated option RhostsRSAAuthentication
curve25519-sha256@libssh.org
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group1-sha1
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
gssapikexalgorithms gss-gex-sha1-
gss-group14-sha1-
gss-group1-sha1-
kexalgorithms curve25519-sha256
Results after applying the hardening article: /etc/ssh/sshd_config
# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com
# hardening guide.
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
Cipher:
# sshd -T | grep ciphers | perl -pe 's/,/\n/g' | sort -u
/etc/ssh/sshd_config line 173: Deprecated option RhostsRSAAuthentication
aes128-ctr
aes128-gcm@openssh.com
aes192-ctr
aes256-ctr
aes256-gcm@openssh.com
ciphers chacha20-poly1305@openssh.com
mac:
# sshd -T | grep mac | perl -pe 's/,/\n/g' | sort -u
/etc/ssh/sshd_config line 173: Deprecated option RhostsRSAAuthentication
hmac-sha2-512-etm@openssh.com
macs hmac-sha2-256-etm@openssh.com
umac-128-etm@openssh.com
kex:
bash-4.2# sshd -T | grep kex | perl -pe 's/,/\n/g' | sort -u
/etc/ssh/sshd_config line 173: Deprecated option RhostsRSAAuthentication
curve25519-sha256@libssh.org
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha256
gssapikexalgorithms gss-gex-sha1-
gss-group14-sha1-
gss-group1-sha1-
kexalgorithms curve25519-sha256
The article and test assume perl is installed
Perl is only used to put it in a fancy format, use these before and after implementing the hardening steps for centos 7
# sshd -T | grep kex
# sshd -T | grep mac
# sshd -T | grep cipher
The point is these commands shows schemes your client/server can support.
# ssh -Q kex
# ssh -Q cipher
# ssh -Q MAC
No matter what you change in the /etc/ssg/sshd_config the results so not change