A cipher is an algorithm for performing encryption or decryption.
Routine nessus scan of one of my lab machines revealed that the weak RC4 (arcfour) cipher was available there. Multiple vulnerabilities have been discovered in this cipher. This insecure cipher should not be used. So I disabled it. Here's how.
The ciphers that are available are mentioned in the SSH configuration file /etc/ssh/sshd_config
Open the /etc/ssh/sshd_config file using an editor such as vi, and check for a line that begins with Ciphers. A comma separated list of ciphers should be present after the Ciphers keyword. In this list, check for arcfour,arcfour128,arcfour256
If any of these are found, remove them and save the file.
In order for the change to come in effect, ssh daemon needs to be restarted. `service ssh restart` restarts the ssh daemon.
And here's how to verify that the change you made has actually removed arcfour cipher from being used. From another machine in your network, you could use the ssh command along with the -c option. The -c option allows us to specify which cipher to use.
# ssh -p 22 user@your.ip.address.here -c arcfour
If arcfour cipher is not available in your machine, you should see message : no matching cipher found.
If prompt appears, asking for username and password, it indicates that arcfour cipher is available in your machine, and is being used.
Another way to check is using the nmap utility. What is nmap and what all magical things it can do is not what we want to see here. Right now, let's use nmap to check which ciphers are available in your machine.
# nmap -Pn -sV --script ssh2-enum-algos your.ip.address.here
If arcfour is not listed anywhere in the output, it is not available in your machine.
If you see arcfour in the output, it is available in your machine.
If you don't have arcfour mentioned in your ssh configuration file /etc/ssh/sshd_config and it is still available in your machine, then check if the Ciphers keyword is altogether absent in the SSH configuration file. If you don't mention which ciphers to use, then the default list of ciphers is offerred. Likelihood is, the default list contains arcfour. In this case, add the line listed below in your SSH configuration file.
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
In order for the change to come in effect, ssh daemon needs to be restarted. `service ssh restart` restarts the ssh daemon.
Please note, the /etc/ssh/ directory contains sshd_config and also ssh_config file. sshd_config is the one that is for SSH daemon. ssh_config is used by the SSH client.
If you have correctly removed arcfour from /etc/ssh/sshd_config file, and arcfour is still available in your machine, then it is time to check further. Check for the possibility that more than one ssh daemons are running. The default port used by sshd is 22. And sshd could use some other port as well. More than one sshd could be running, one of them listening on port 22 and the other listening on some other port. In this case, arcfour cipher needs to be disabled for all ssh daemons.
Here's how to check which all ports are open. Use the netstat utility along with -tlnp options.
# netstat -tlnp
The options that are useful to us in this case are :
-t, --tcp tcp only
-n, --numeric don't resolve names
-l, --listening display listening server sockets
-p, --programs display PID/Program name for sockets
The ciphers that are available are mentioned in the SSH configuration file /etc/ssh/sshd_config
Open the /etc/ssh/sshd_config file using an editor such as vi, and check for a line that begins with Ciphers. A comma separated list of ciphers should be present after the Ciphers keyword. In this list, check for arcfour,arcfour128,arcfour256
If any of these are found, remove them and save the file.
In order for the change to come in effect, ssh daemon needs to be restarted. `service ssh restart` restarts the ssh daemon.
And here's how to verify that the change you made has actually removed arcfour cipher from being used. From another machine in your network, you could use the ssh command along with the -c option. The -c option allows us to specify which cipher to use.
# ssh -p 22 user@your.ip.address.here -c arcfour
If arcfour cipher is not available in your machine, you should see message : no matching cipher found.
If prompt appears, asking for username and password, it indicates that arcfour cipher is available in your machine, and is being used.
Another way to check is using the nmap utility. What is nmap and what all magical things it can do is not what we want to see here. Right now, let's use nmap to check which ciphers are available in your machine.
# nmap -Pn -sV --script ssh2-enum-algos your.ip.address.here
If arcfour is not listed anywhere in the output, it is not available in your machine.
If you see arcfour in the output, it is available in your machine.
If you don't have arcfour mentioned in your ssh configuration file /etc/ssh/sshd_config and it is still available in your machine, then check if the Ciphers keyword is altogether absent in the SSH configuration file. If you don't mention which ciphers to use, then the default list of ciphers is offerred. Likelihood is, the default list contains arcfour. In this case, add the line listed below in your SSH configuration file.
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
In order for the change to come in effect, ssh daemon needs to be restarted. `service ssh restart` restarts the ssh daemon.
Please note, the /etc/ssh/ directory contains sshd_config and also ssh_config file. sshd_config is the one that is for SSH daemon. ssh_config is used by the SSH client.
If you have correctly removed arcfour from /etc/ssh/sshd_config file, and arcfour is still available in your machine, then it is time to check further. Check for the possibility that more than one ssh daemons are running. The default port used by sshd is 22. And sshd could use some other port as well. More than one sshd could be running, one of them listening on port 22 and the other listening on some other port. In this case, arcfour cipher needs to be disabled for all ssh daemons.
Here's how to check which all ports are open. Use the netstat utility along with -tlnp options.
# netstat -tlnp
The options that are useful to us in this case are :
-t, --tcp tcp only
-n, --numeric don't resolve names
-l, --listening display listening server sockets
-p, --programs display PID/Program name for sockets
