Because the project needs to be accepted for security detection, a security company has detected the following encryption vulnerabilities of sshd:
ssh server CBC mode ciphers enabled
warning: pay attention to check the status of sshd after restart
summary, description and solutions are as follows:
the security company has detected the following encryption vulnerabilities of sshd https://www.tenable.com/plugins/nessus/70658
1. Modify the encryption method
[root@localhost ~] vim /etc/ssh/sshd_config
Annotate related fields
# Ciphers and keying
Add encryption method at the end
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour
Macs hmac-sha1,hmac-ripemd160
2. Restart the service after saving
[root@localhost ~]# systemctl restart sshd
3. SSH verification
[root@localhost ~]# ssh -vv -oCiphers=aes128-cbc,3des-cbc,blowfish-cbc target IP
[root@localhost ~]# ssh -vv -oMACs=hmac-md5 target IP
4. Nmap verification
nmap --script ssh2-enum-algos -sV -p 22 target IP
Results
Unable to negotiate with 127.0.0.1 port 22: no matching cipher found. Their offer: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour