Saturday, 31 March 2018

How to fix SSH vulnerabilities: HMAC algorithms and CBC Ciphers in CentOS 6



SSH Protocol: Enable protocol version 2

Uncomment Protocol 2 in /etc/ssh/sshd_config as below:

[root@linuxcnf ~]# vi /etc/ssh/sshd_config
….
Protocol 2

Ciphers:

Add or modify the "Ciphers" line in /etc/ssh/sshd_config as below:

[root@linuxcnf ~]# vi /etc/ssh/sshd_config
….
Ciphers aes128-ctr,aes192-ctr,aes256-ctr

MD5 HMACs:

Add or modify the "MACs" line in /etc/ssh/sshd_config as below:
  
[root@linuxcnf ~]# vi /etc/ssh/sshd_config
MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160@openssh.com

Finally, restart sshd service to apply the changes:

[root@linuxcnf ~]# service sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd:                                             [  OK  ]
[root@linuxcnf ~]#

Let’s verify the configuration changes:

[root@linuxcnf ~]#sshd -T |grep ciphers
ciphers aes128-ctr,aes192-ctr,aes256-ctr
[root@linuxcnf ~]#sshd -T |grep macs
macs hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160@openssh.com
[root@linuxcnf ~]#

That’s done!!!


2 comments:

  1. SSH remains one of the most critical services exposed on Linux servers, and securing it properly is essential for maintaining confidentiality and integrity. The discussion on secure encryption standards, authentication mechanisms, and vulnerability mitigation makes this article highly relevant for professionals and students exploring Information Security Projects and understanding modern system hardening practices.

    ReplyDelete
  2. The techniques presented here also provide valuable insights into secure remote administration, attack prevention, and defensive strategies used in enterprise environments. These concepts align closely with Cyber Security Projects for Final Year Students, where practical knowledge of vulnerability mitigation and secure system design plays a crucial role.

    ReplyDelete