Every so often after I run security scans, I think about investigating making ssh more secure. Normally I don’t have the time to do it, but this time I have made the time.
It turns out that whilst the ssh protocol is relatively secure, the encryption strength can be improved somewhat. To be fair, the older ssh encryption methods have been around for quite a while now. And when we say “improving”, the improvement is merely enough to persuade Nessus to hide an alert that is “Low”.
But it isn’t hard to fix, so why not?
The first step is to restrict the ciphers that sshd allows. Edit the file /etc/ssh/sshd_config and add a ciphers line :-
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
The next step is to add a line to restrict what MACs to use :-
MACs hmac-sha1
These two lines are normally next to each other close to the “UsePrivilegeSeparation” line.
Next restart sshd which is normally done with /etc/init.d/ssh restart (if you don’t have that script, look in that directory for any script whose name contains “ssh”). Yes this can be safely done whilst logged in via ssh.