Disable Weak SSH Ciphers

For PCI Compliance or Security reasons, it may be necessary to disable weak SSH ciphers.

This article will cover how to disable weak SSH ciphers on a VPS or Dedicated server.

Check For Weak SSH Ciphers

IMPORTANT: These solutions will require root access or an escalation to APS for those without T1E+ access.

1. Check which ciphers are currently in use
   1. Check for weak ciphers on the client side using this command

      nmap --script ssh2-enum-algos -sV -p port host

      REPLACE: port with the appropriate SSH port (the default is 22, but it can be changed) and host with the host IP or domain.
   2. SSH into the appropriate server as root and perform this command

      sshd -T | grep ciphers | perl -pe 's/,/\n/g' | sort -u

Disable Weak SSH Ciphers

1. SSH into the appropriate server as root
2. Create a backup of the current configuration

   cp /etc/ssh/sshd_config{,.bak}

3. Run this oneliner
   TIP: You can run through these steps manually using The Manual Method below.

   sshd -T | grep ciphers | sed -e "s/\(3des-cbc\|aes128-cbc\|aes192-cbc\|aes256-cbc\|arcfour\|arcfour128\|arcfour256\|blowfish-cbc\|cast128-cbc\|rijndael-cbc@lysator.liu.se\)\,\?//g" >> /etc/ssh/sshd_config && systemctl restart sshd

Disable Weak SSH Ciphers Manually

1. SSH into the appropriate server as root
2. Create a backup of the current configuration

   cp /etc/ssh/sshd_config{,.bak}

3. Set the following ciphers explicitly in the /etc/ssh/sshd_config

   echo "ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config

4. Restart the sshd service

   systemctl restart sshd

   TIP: You can check your work by running either or both of the oneliners in the Check For Weak SSH Ciphers section above. For further reference, please see this third-party resource.