Disable Cipher Block Chaining (CBC) Mode Ciphers and Weak MAC Algorithms in SSH

話說今天使用OpenVAS做弱點掃描的時候，發現弱點

SSH Weak Encryption Algorithms Supported

Vulnerability Detection Result

The following weak client-to-server encryption algorithms are supported by the remote serv↵
ice:

aes128-cbc
arcfour256
cast128-cbc
aes192-cbc
3des-cbc
arcfour128
rijndael-cbc@lysator.liu.se
aes256-cbc
arcfour
blowfish-cbc

The following weak server-to-client encryption algorithms are supported by the remote serv↵
ice:

aes128-cbc
arcfour256
cast128-cbc
aes192-cbc
3des-cbc
arcfour128
rijndael-cbc@lysator.liu.se
aes256-cbc
arcfour
blowfish-cbc

稍微爬了一下，發現解決方法也很簡單，打開SSH加入以下內容

vi /etc/ssh/sshd_config

Ciphers aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha1

重新啟動服務

systemctl restart sshd

打完收工

Reference

How to harden SSH on CentOS 6.5

FAQ: How do I disable Cipher Block Chaining (CBC) Mode Ciphers and Weak MAC Algorithms in SSH in IBM PureData System for Operational Analytics