Here is a worklet to detect and disable weak and vulnerable algorithms in the sshd service. These algorithms are usually kept enabled for compatibility reasons but they’re usually safe to disable if your users have updated systems.
Here is a good write-up on known weak and vulnerable algorithms.
#!/bin/bash sshd -T | grep "\(ciphers\|macs\|kexalgorithms\)" | grep "\(sha1\|rc4|arcfour|md5|blowfish|idea|3des|cast128|cbc\)" # return 0 if value exists; return non-zero if value does not exist [[ $? -eq 0 ]] && exit 1 exit 0
#!/bin/bash # Add a definitive list of ciphers to the sshd config. This list was tested to work on a fresh install of Ubuntu 18.04 cat >> /etc/ssh/sshd_config <<EOL Ciphers email@example.com,firstname.lastname@example.org,email@example.com,aes256-ctr,aes192-ctr,aes128-ctr KexAlgorithms firstname.lastname@example.org,diffie-hellman-group-exchange-sha256 MACs email@example.com,firstname.lastname@example.org,email@example.com,hmac-sha2-512,hmac-sha2-256,firstname.lastname@example.org EOL #restart the network services service sshd restart