Currently we are running with centos 6.7 with following cipher suits in /etc/ssh/sshd_config and version of openssh package is 5.3 , please advise on how to harden sshd for weal cipher suits . Thanks
cat /etc/centos-release
CentOS release 6.7 (Final)
cat /etc/ssh/sshd_config | grep -i Ciphers
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
cat /etc/ssh/sshd_config | grep -i MACs
MACs hmac-sha2-256,hmac-sha2-512
cat /etc/ssh/sshd_config | grep -i KexAlgorithms
rpm -qa | grep -i openssh
openssh-clients-5.3p1-114.el6_7.x86_64
openssh-5.3p1-114.el6_7.x86_64
openssh-server-5.3p1-114.el6_7.x86_64
How to harden sshd for weal cipher suits on centos6.7
-
- Posts: 1
- Joined: 2018/12/21 01:06:43
Re: How to harden sshd for weal cipher suits on centos6.7
You have far more serious security problems than hardening opensssh.
If you are running 6.7 then you are more than 3 years out of date and are missing lots of critical security updates. RHEL 6.7 came out in July 2015 and CentOS 6.7 followed in August. If you go to the Redhat errata pages here and select Security updates then tell it to show you only ones marked as "Critical" then you will find that there are about 130 of them since 6.7 came out.
The current CentOS 6 is 6.10 and is the only version that gets fixes. You should yum update to it ASAP.
Also I presume that "weal" actually means "weak"?
The Redhat knowledge base article https://access.redhat.com/solutions/420283 says you can
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour
MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160@openssh.com
Personally I'd also drop the arcfour ones too.
If you are running 6.7 then you are more than 3 years out of date and are missing lots of critical security updates. RHEL 6.7 came out in July 2015 and CentOS 6.7 followed in August. If you go to the Redhat errata pages here and select Security updates then tell it to show you only ones marked as "Critical" then you will find that there are about 130 of them since 6.7 came out.
The current CentOS 6 is 6.10 and is the only version that gets fixes. You should yum update to it ASAP.
Also I presume that "weal" actually means "weak"?
The Redhat knowledge base article https://access.redhat.com/solutions/420283 says you can
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour
MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160@openssh.com
Personally I'd also drop the arcfour ones too.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke