Saturday, 31 March 2018

How to fix SSH vulnerabilities: HMAC algorithms and CBC Ciphers in CentOS 7



SSH Protocol: Enable protocol version 2: Uncomment Protocol 2 in /etc/ssh/sshd_config as below:

[root@linuxcnf  ~]# vi /etc/ssh/sshd_config
….
Protocol 2

Ciphers: Add or modify the "Ciphers" line in /etc/ssh/sshd_config as below:

[root@linuxcnf  ~]# vi /etc/ssh/sshd_config
Ciphers aes128-ctr,aes192-ctr,aes256-ctr

MD5 HMACs: Add or modify the "MACs" line in /etc/ssh/sshd_config as below:

[root@linuxcnf  ~]# vi /etc/ssh/sshd_config
MACs hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160

Finally, restart sshd service to apply the changes:

[root@linuxcnf  ~]# service sshd restart
Redirecting to /bin/systemctl restart sshd.service
[root@linuxcnf ~]#

Done!!!

No comments:

Post a comment