I've got an old Red Hat 5.11 server (yes, I know, it should be upgraded), that's running OpenSSH 4.3 (based on open-ssl 0.9.8). A consultant penetration test came up with a number of issues; the ones related to this server deal mostly with the SSH service. Specifically, allowing "Arcfour algorithms" and "Cipher Block Chaining mode ciphers".
However, all my searches seem to presume a much newer version of OpenSSH. I see a lot of pages on how to add any ciphers you want disallowed (such as:
But my sshd-config doesn't have any such ciphers listed (even as comments). And as such, I don't know if that will work. And before I go messing around with a production server, I figured I would ask first.
Anybody done anything similar (disallowing ciphers, etc)? ideally with an old OpenSSh like mine?
What I really need to do is upgrade the whole server, but that's a project, and one I would need to research, so I don't screw it up. This server accepts SFTP uploads on my DMZ, and in turn, I have a script on a trusted LAN server that reaches into this server (using trusted keys), runs a script there; assembles all uploaded files, and copies them into the trusted LAN. (which this list helped me out hugely, a few years back, so thanks!) And I would need to make sure I don't mess that up.
Anyway, cipher disallowing thoughts?