How to Harden SSH on RHEL 8 & 9: A Guide to Disabling Weak Algorithms
Secure Shell (SSH) is the backbone of remote server administration, providing an encrypted channel for managing your systems. However, a default SSH configuration on even modern systems like Red Hat Enterprise Linux (RHEL) 8 and 9 may still permit the use of older, weaker cryptographic algorithms. Over time, vulnerabilities are discovered in these algorithms, and leaving them enabled can expose your server to significant security risks.
Hardening your SSH server is a critical step in securing your infrastructure. By explicitly disabling outdated ciphers, key exchange algorithms, and message authentication codes (MACs), you significantly reduce your server’s attack surface. This guide provides a clear, step-by-step process for enhancing the security of your SSH daemon on RHEL 8 and 9.
Why Disabling Weak SSH Algorithms is Crucial
Allowing weak cryptographic algorithms creates tangible security risks that can lead to serious consequences. The primary threats include:
- Vulnerability to Decryption: Attackers can exploit weaknesses in algorithms like CBC mode ciphers or those using SHA-1 to potentially decrypt captured SSH traffic, exposing sensitive data and credentials.
- Man-in-the-Middle (MITM) Attacks: Weak key exchange algorithms can be compromised, allowing an attacker to impersonate the server and intercept the connection.
- Compliance Failures: Many security standards, such as PCI DSS and HIPAA, mandate the use of strong cryptography. Failing a security audit due to weak SSH settings can result in non-compliance penalties.
- Lowering the Bar for Attackers: By leaving weak options available, you make it easier for less sophisticated attackers to find a foothold using known exploits.
Proactively disabling these weak links ensures your server communicates using only modern, robust, and secure cryptographic standards.
Step-by-Step: Securing Your SSH Configuration
The primary configuration file for the SSH daemon is located at /etc/ssh/sshd_config. We will modify this file to specify an explicit list of approved, strong algorithms.
1. Back Up Your Existing Configuration
Before making any changes, it is essential to create a backup of your current sshd_config file. This allows you to quickly restore service if you make a mistake that locks you out.
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
2. Edit the sshd_config File
Open the configuration file using your preferred text editor, such as nano or vim.
sudo nano /etc/ssh/sshd_config
3. Specify Strong Cryptographic Algorithms
Scroll to the bottom of the file and add the following lines. These lists specify modern, secure options for key exchange, ciphers, and MACs, while excluding their weaker counterparts.
This configuration prioritizes algorithms like ChaCha20-Poly1305 and AES-GCM, which are authenticated encryption modes not vulnerable to the plaintext recovery attacks that affect CBC mode. It also specifies strong key exchange methods and HMACs.
# --- Harden SSHD Configuration ---
# Specify strong Key Exchange Algorithms
KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
# Specify strong Ciphers
Ciphers [email protected],[email protected],[email protected]
# Specify strong Message Authentication Codes
MACs [email protected],[email protected],[email protected]
Note on RHEL Crypto-Policies: RHEL uses system-wide cryptographic policies to manage default algorithm sets. By adding these lines to sshd_config, you are explicitly overriding the system-wide policy for the SSH service, giving you more granular control.
4. Validate the Configuration and Restart SSH
After saving your changes, it is critical to test the configuration syntax before restarting the SSH service. This simple command can prevent you from getting locked out of your server.
sudo sshd -t
If the command returns no output, the syntax is correct. If it reports an error, reopen the file and correct the mistake.
Once validation is successful, restart the SSH daemon to apply the new, hardened configuration.
sudo systemctl restart sshd
You can verify that the service is running correctly with:
sudo systemctl status sshd
Verifying Your New, Secure Configuration
After restarting the service, you must verify that only the strong algorithms you specified are being offered by the server. You can do this from a client machine using nmap or a verbose SSH connection.
Using nmap (if installed):
nmap --script ssh2-enum-algos -p 22 your-server-ip
The output should now only list the algorithms you specified in the sshd_config file, confirming that the weak options have been successfully disabled.
Alternatively, you can use a verbose SSH connection attempt from a Linux client:
ssh -vv your-server-ip
Examine the debug output for the lines detailing the “kex algos”, “server ciphers”, and “server macs” to see which algorithms were negotiated.
By following these steps, you have successfully hardened your RHEL server’s SSH configuration. Regularly reviewing and updating your cryptographic standards is a cornerstone of maintaining a secure and resilient system in an ever-evolving threat landscape.
Source: https://kifarunix.com/disable-weak-ssh-algorithms-on-rhel-8-9-10-hmac-sha1/
