Disable Arcfour encryption
Solution 1
CentOS 5, 6 & 7 don't have a Ciphers line in the /etc/ssh/sshd_config file so you get the full default list of ciphers. So to exclude arcfour add the following lines to your sshd_config file:
# restrict ciphers to exclude arcfour
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc
Then restart sshd:
service sshd restart
As noted above you can test using
ssh <hostname> -c arcfour
If the specified cipher is disabled you'll get a response like
no matching cipher found: client arcfour server aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc
otherwise you'll see the normal login process.
Solution 2
On Centos, RHEL, Oracle Linux 5, 6, and 7, just execute the following as root from a bash shell:
echo "Ciphers $(ssh -Q cipher | grep -v arcfour | while read r; do echo -n "$r," ; done)" >>/etc/ssh/sshd_config && /sbin/service sshd restart
Related videos on Youtube
Steviehype
Updated on September 18, 2022Comments
-
Steviehype over 1 year
I'm new to this but have been searching everywhere for a clear answer.
To pass PCI compliance the Arcfour cipher should be disabled.
I've tried to edit the ciphers in my sshd_conf and ssh_conf files to no avail.
As far as I can make out the default ciphers are
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
I've tired removing the arcfour instances from that line and also adding a '-' (minus) before them which didn't work either.
How does one disable arcfour ciphers?
We're running CentOS 6.8 in case that helps.
-
Admin over 7 yearsis it possible that the scanner is finding a separate SSL service that's using arcfour (https)?
-
Admin over 7 yearsThis is the scan command they are using
nmap -Pn -sV --script ssh2-enum-algos 87.xxx.xxx.160 -p22
which I'm assuming is scanning port 22. Would I edit those settings elsewhere? -
Admin over 7 yearsyou can check what ciphers sshd will allow with;
$ sshd -T 2>/dev/null | grep -i cipher
-
-
Steviehype over 7 yearsThanks for your reply @jan. I've got this line in my sshd_conf
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
i.e. arcfour removed, I've restarted sshd and NMAP is still reporting that those encryptions are still active. What am I doing wrong? -
Jan over 7 yearsThen either nmap is wrong or your sshd uses another config file. Are you 100% sure you edited the SERVER config file (/etc/ssh/sshd_config) and not the global client config? Did you restart?
-
Steviehype over 7 yearsI'm 100% sure I've edited
/etc/ssh/sshd_config
. Trustwave are using NMAP as evidence that Arcfour ciphers are supported so, ideally I need to get this to work. Thanks again for your thoughts. -
Steviehype over 7 yearsI'm sorry, I'm not sure I follow. I'm logged on. If I type
ssh localhost -c arcfour
it asks me for the password, which I enter and it just takes me back to where I was[root@s1xxxxx90 ~]#
with a blinking cursor... If I type onlyssh -c arcfour
I get a usage list. -
user4476006 about 7 yearsThe OP already said that he has edited sshd_config, which in case does have Ciphers line without any reference to arcfour. But then again it looks like the problem is that sshd doesn't seem to obey his config changes. Nice try, but you realise you ended up replicating what was already posted?
-
bosmith about 7 yearsSure - not claiming originality. See this more as confirmation that the advice really should work and summarizing in a recipe.
-
David Ramirez over 3 yearsssh -Q works only in version 7 os the said OS.