Worklet: Disable weak and vulnerable algorithms in sshd

Howdy!

Here is a worklet to detect and disable weak and vulnerable algorithms in the sshd service. These algorithms are usually kept enabled for compatibility reasons but they’re usually safe to disable if your users have updated systems.

Here is a good write-up on known weak and vulnerable algorithms.

Evaluation:

#!/bin/bash





sshd -T | grep "\(ciphers\|macs\|kexalgorithms\)" | grep "\(sha1\|rc4|arcfour|md5|blowfish|idea|3des|cast128|cbc\)"





# return 0 if value exists; return non-zero if value does not exist


>
 $? -eq 0 ]] && exit 1





exit 0

Remediation:

#!/bin/bash





# Add a definitive list of ciphers to the sshd config. This list was tested to work on a fresh install of Ubuntu 18.04


cat >> /etc/ssh/sshd_config <<EOL


Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr


KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256


MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com


EOL





#restart the network services 


service sshd restart

Page 1 / 1

hi long time but I wanted to ask if this worklet will work on MAC books with OSX 14 Sonoma by any chnce

Reply

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded