How to harden sshd for weal cipher suits on centos6.7

General support questions
Post Reply
marni koteswararao
Posts: 1
Joined: 2018/12/21 01:06:43

How to harden sshd for weal cipher suits on centos6.7

Post by marni koteswararao » 2018/12/21 01:12:49

Currently we are running with centos 6.7 with following cipher suits in /etc/ssh/sshd_config and version of openssh package is 5.3 , please advise on how to harden sshd for weal cipher suits . Thanks

cat /etc/centos-release
CentOS release 6.7 (Final)

cat /etc/ssh/sshd_config | grep -i Ciphers
Ciphers aes128-ctr,aes192-ctr,aes256-ctr

cat /etc/ssh/sshd_config | grep -i MACs
MACs hmac-sha2-256,hmac-sha2-512

cat /etc/ssh/sshd_config | grep -i KexAlgorithms

rpm -qa | grep -i openssh
openssh-clients-5.3p1-114.el6_7.x86_64
openssh-5.3p1-114.el6_7.x86_64
openssh-server-5.3p1-114.el6_7.x86_64

User avatar
TrevorH
Site Admin
Posts: 33210
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: How to harden sshd for weal cipher suits on centos6.7

Post by TrevorH » 2018/12/21 09:52:27

You have far more serious security problems than hardening opensssh.

If you are running 6.7 then you are more than 3 years out of date and are missing lots of critical security updates. RHEL 6.7 came out in July 2015 and CentOS 6.7 followed in August. If you go to the Redhat errata pages here and select Security updates then tell it to show you only ones marked as "Critical" then you will find that there are about 130 of them since 6.7 came out.

The current CentOS 6 is 6.10 and is the only version that gets fixes. You should yum update to it ASAP.

Also I presume that "weal" actually means "weak"?

The Redhat knowledge base article https://access.redhat.com/solutions/420283 says you can

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour
MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160@openssh.com

Personally I'd also drop the arcfour ones too.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply