Tag Archives: SSH Server CBC Mode Ciphers Enabled

How to Fix Issue: SSH Server CBC Mode Ciphers Enabled

Because the project needs to be accepted for security detection, a security company has detected the following encryption vulnerabilities of sshd:
ssh server CBC mode ciphers enabled
warning: pay attention to check the status of sshd after restart
summary, description and solutions are as follows:
the security company has detected the following encryption vulnerabilities of sshd https://www.tenable.com/plugins/nessus/70658
1. Modify the encryption method

[root@localhost ~] vim /etc/ssh/sshd_config
Annotate related fields
# Ciphers and keying
Add encryption method at the end
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour
Macs hmac-sha1,hmac-ripemd160

2. Restart the service after saving

[root@localhost ~]# systemctl restart sshd

3. SSH verification

[root@localhost ~]# ssh -vv -oCiphers=aes128-cbc,3des-cbc,blowfish-cbc  target IP
[root@localhost ~]# ssh -vv -oMACs=hmac-md5  target IP

4. Nmap verification

nmap --script ssh2-enum-algos -sV -p 22  target IP


Unable to negotiate with port 22: no matching cipher found. Their offer: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour