This post will show how to Disable the HMAC MD5 and the CBC ciphers as an example for CentOS/RHEL 6 and 7.
For CentOS/RHEL 7
For more information please look at the man pages:
# man sshd_config
Ciphers
Specifies the ciphers allowed. Multiple ciphers must be comma-separated. If the specified value begins with a ‘+’ character, then the specified ciphers will be appended to the default set instead of replacing them.
The supported ciphers are:
3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com aes256-gcm@openssh.com arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc chacha20-poly1305@openssh.com
The default is:
chacha20-poly1305@openssh.com, aes128-ctr,aes192-ctr,aes256-ctr, aes128-gcm@openssh.com,aes256-gcm@openssh.com, aes128-cbc,aes192-cbc,aes256-cbc, blowfish-cbc,cast128-cbc,3des-cbc
The list of available ciphers may also be obtained using “ssh -Q cipher”. For example:
# ssh -Q cipher 3des-cbc blowfish-cbc cast128-cbc arcfour arcfour128 arcfour256 aes128-cbc aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com aes256-gcm@openssh.com chacha20-poly1305@openssh.com
In order to disable the CBC ciphers please update the /etc/ssh/sshd_config with the Ciphers that are required except the CBC ciphers.
To Disable CBC:
Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
Restart the sshd service after the changes have been made.
# systemctl restart sshd
MACs
MACs Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used for data integrity protection. Multiple algorithms must be comma-separated. If the specified value begins with a ‘+’ character, then the specified algorithms will be appended to the default set instead of replacing them.
The algorithms that contain “-etm” calculate the MAC after encryption (encrypt-then-mac). These are considered safer and their use recommended. The supported MACs are:
hmac-md5 hmac-md5-96 hmac-ripemd160 hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac-sha2-512 umac-64@openssh.com umac-128@openssh.com hmac-md5-etm@openssh.com hmac-md5-96-etm@openssh.com hmac-ripemd160-etm@openssh.com hmac-sha1-etm@openssh.com hmac-sha1-96-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com umac-64-etm@openssh.com umac-128-etm@openssh.com
The default is:
umac-64-etm@openssh.com,umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com,umac-128@openssh.com, hmac-sha2-256,hmac-sha2-512,hmac-sha1, hmac-sha1-etm@openssh.com
The list of available MAC algorithms may also be obtained using “ssh -Q mac”. For example:
# ssh -Q mac hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac-sha2-512 hmac-md5 hmac-md5-96 hmac-ripemd160 hmac-ripemd160@openssh.com umac-64@openssh.com umac-128@openssh.com hmac-sha1-etm@openssh.com hmac-sha1-96-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com hmac-md5-etm@openssh.com hmac-md5-96-etm@openssh.com hmac-ripemd160-etm@openssh.com umac-64-etm@openssh.com umac-128-etm@openssh.com
In order to disable the hmac-md5 MACs algorithms please update the /etc/ssh/sshd_config with the Macs that are required except the hmac-md5 for ecample:
MACs hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160
Restart the sshd service after the changes have been made.
# systemctl restart sshd
For CentOS/RHEL 6
In CentOS/RHEL 6 the commands to list the available ciphers and MACs are “sshd -T | grep ciphers | perl -pe ‘s/,/\n/g’ | sort -u” and “nmap -vv –script=ssh2-enum-algos.nse -p 22 localhost”:
# sshd -T | grep ciphers | perl -pe 's/,/\n/g' | sort -u nmap -vv --script=ssh2-enum-algos.nse -p 22 localhost
For more information please look at the man pages:
# man sshd_config
Ciphers
Specifies the ciphers allowed for protocol version 2. Multiple ciphers must be comma-separated. The supported ciphers are:
3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr arcfour128 arcfour256 arcfour blowfish-cbc rijndael-cbc@lysator.liu.se cast128-cbc
The default is:
aes128-ctr aes192-ctr aes256-ctr arcfour256 arcfour128 aes128-cbc 3des-cbc blowfish-cbc cast128-cbc aes192-cbc aes256-cbc arcfour rijndael-cbc@lysator.liu.se
In order to disable the CBC ciphers please update the /etc/ssh/sshd_config with the Ciphers that are required except the CBC ciphers.
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour
Restart the sshd service after the changes have been made.
# service sshd restart
MACs
MACs Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated. The default is:
hmac-md5,hmac-sha1,umac-64@openssh.com, hmac-ripemd160,hmac-sha1-96,hmac-md5-96, hmac-sha2-256,hmac-sha2-512,hmac-ripemd160@openssh.com
In order to disable the hmac-md5 MACs algorithms please update the /etc/ssh/sshd_config with the Macs that are required except the hmac-md5 for ecample:
MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160@openssh.com
Restart the sshd service after the changes have been made:
# service sshd restart