How to disable weak SSH cipher in CentOS 7

I am running CentOS 7.9 (server edition) I have been searching online for some help on how to disable weak ssh cypher. However, I do not seem to be able to fix the issue. Qualys scans keeps reporting weak cipher in ssh service. I followed some recommendations (i.e: https://www.thegeekdiary.com/how-to-disable-weak-cipher-and-insecure-hmac-algorithms-in-ssh-services-for-centos-rhel-6-and-7/) online without any luck.

I am running CentOS 7.9 (server edition)

I have been searching online for some help on how to disable weak ssh cypher. However, I do not seem to be able to fix the issue. Qualys scans keeps reporting weak cipher in ssh service. I followed some recommendations (i.e: https://www.thegeekdiary.com/how-to-disable-weak-cipher-and-insecure-hmac-algorithms-in-ssh-services-for-centos-rhel-6-and-7/) online without any luck.

Here is what my /etc/ssh/sshd_config looks like

 # Addresses Qualys QID 38739 Deprecated SSH Cryptographic Settings (CentOS 6) ## Changed this line: ##ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,cast128-cbc,aes192-cbc,aes256-cbc,[email protected] ## to this line: ciphers aes128-ctr,aes192-ctr,aes256-ctr 

Thank you for your help.

1 Answer

Step 1:

Go to below directory and uncomment the below line

Vi /etc/sysconfig/sshd

Uncomment

CRYPTO_POLICY=

Step 2:

Go to the below directories and append the below lines at the end of file

vi /etc/ssh/sshd_config

KexAlgorithms [email protected],ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr

MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]

Step 3:

systemctl restart sshd

3

ncG1vNJzZmirpJawrLvVnqmfpJ%2Bse6S7zGiorp2jqbawutJobmpqYWiDeIKOoaawZaSkeqW10pqZpZ1drLKit4ysqqFlk569qbHRZqCnZZOau7W70mZu

 Share!