Linux SSH Disable CBC Ciphers
In this post I demonstrate how to disable insecure or unused SSH ciphers. You may need to do this for security purposes or for compliance purposes, you do not need to explicitly specify each one to disable, you can do so based on a pattern.
View Supported Ciphers
The first thing you will need to do is understand what ciphers are supported on your system, to do that issue the command below.
# ssh -Q cipher 3des-cbc aes128-cbc aes192-cbc aes256-cbc firstname.lastname@example.org aes128-ctr aes192-ctr aes256-ctr email@example.com firstname.lastname@example.org email@example.com
Viewing Loaded Ciphers
Additionally, you will need to see what ciphers are actually loaded in SSH. Below is the command and example output.
# sshd -T | grep cipher ciphers firstname.lastname@example.org,aes128-ctr,aes192-ctr,aes256-ctr,email@example.com,firstname.lastname@example.org #
Restrict all CBC Ciphers
Based on the output of the above commands you can see that cbc ciphers do exist on the machine however they are not loaded into the running SSH process to use for encryption with clients. Because of this it is not absolutely required to disallow the cbc ciphers in the ssh configuration however, to guarantee that after an update to the ssh server it does not load them due to programming changes the way to guarantee any cbc cyphers will never be loaded is to specify in the configuration file to never load them.
Below is an excerpt of
/etc/ssh/sshd_config if a line denoting "Ciphers" does not already exist add this line at the bottom of your sshd_config file.
Note here the minus symbol is telling the configuration to exclude what is coming after.
The asterisks is a wildcard so any cipher that has "cbc" in the name will not be loaded at startup.
If Ciphers is already defined, just remove any entries that have cbc in it.
Reload the SSH Server
Lastly you need to reload the ssh server for the changes to take effect, below is an example of the command on a Debian based system.
$ sudo service ssh reload
And that is all you need to do to restrict ciphers based on wildcards.