Saturday, 31 March 2018

How to fix SSH vulnerabilities: HMAC algorithms and CBC Ciphers in CentOS 6



SSH Protocol: Enable protocol version 2

Uncomment Protocol 2 in /etc/ssh/sshd_config as below:

[root@linuxcnf ~]# vi /etc/ssh/sshd_config
….
Protocol 2

Ciphers:

Add or modify the "Ciphers" line in /etc/ssh/sshd_config as below:

[root@linuxcnf ~]# vi /etc/ssh/sshd_config
….
Ciphers aes128-ctr,aes192-ctr,aes256-ctr

MD5 HMACs:

Add or modify the "MACs" line in /etc/ssh/sshd_config as below:
  
[root@linuxcnf ~]# vi /etc/ssh/sshd_config
MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160@openssh.com

Finally, restart sshd service to apply the changes:

[root@linuxcnf ~]# service sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd:                                             [  OK  ]
[root@linuxcnf ~]#

Let’s verify the configuration changes:

[root@linuxcnf ~]#sshd -T |grep ciphers
ciphers aes128-ctr,aes192-ctr,aes256-ctr
[root@linuxcnf ~]#sshd -T |grep macs
macs hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160@openssh.com
[root@linuxcnf ~]#

That’s done!!!


No comments:

Post a comment