Requirement:
Some of the security scans may show below Server-to-Client or Client-To-server encryption algorithms as vulnerable:
arcfour
arcfour128
arcfour256
Below are some of the Message Authentication Code (MAC) algorithms:
hmac-md5
hmac-md5-96
hmac-sha1-96
Solution:
Based on the SSH scan result you may want to disable these encryption algorithms or ciphers.
But before that you could check the current allowed ciphers using the command below:
# sshd -T | grep "\(ciphers\|macs\)"
Configuration:
You could disable the Ciphers using the command below:
# vi /etc/ssh/sshd_config
Press key ‘i’ to insert copy the lines below to the end of the file.
ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
macs hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com
Now save the file by pressing keys ‘Esc’ => ’:’ => ‘wq!’
Then restart the sshd service:
# service sshd restart
Verification
You could run the command again to verify allowed ciphers:
# sshd -T | grep "\(ciphers\|macs\)"
This would only show the allowed algorithms now.