Worklet: Disable weak and vulnerable algorithms in sshd

Howdy!

Here is a worklet to detect and disable weak and vulnerable algorithms in the sshd service. These algorithms are usually kept enabled for compatibility reasons but they’re usually safe to disable if your users have updated systems.

Here is a good write-up on known weak and vulnerable algorithms.

Evaluation:

#!/bin/bash

sshd -T | grep "\(ciphers\|macs\|kexalgorithms\)" | grep "\(sha1\|rc4|arcfour|md5|blowfish|idea|3des|cast128|cbc\)"

# return 0 if value exists; return non-zero if value does not exist
[[ $? -eq 0 ]] && exit 1

exit 0

Remediation:

#!/bin/bash

# Add a definitive list of ciphers to the sshd config. This list was tested to work on a fresh install of Ubuntu 18.04
cat >> /etc/ssh/sshd_config <<EOL
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
EOL

#restart the network services 
service sshd restart