Anthony Martin on 12 Sep 2017 06:48:22 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Removing ciphers from an old Open-SSH server

I was just dealing with a similar issue. The Apache section on this page may be usefull for you.

Anthony Martin

Linux System Administrator

On Tue, Sep 12, 2017 at 8:47 AM, Michael Leone <> wrote:
I've got an old Red Hat 5.11 server (yes, I know, it should be upgraded), that's running OpenSSH 4.3 (based on open-ssl 0.9.8). A consultant penetration test came up with a number of issues; the ones related to this server deal mostly with the SSH service. Specifically, allowing "Arcfour algorithms" and "Cipher Block Chaining mode ciphers". 

However, all my searches seem to presume a much newer version of OpenSSH. I see a lot of pages on how to add any ciphers you want disallowed (such as:

But my sshd-config doesn't have any such ciphers listed (even as comments). And as such, I don't know if that will work. And before I go messing around with a production server, I figured I would ask first.

Anybody done anything similar (disallowing ciphers, etc)? ideally with an old OpenSSh like mine?

What I really need to do is upgrade the whole server, but that's a project, and one I would need to research, so I don't screw it up. This server accepts SFTP uploads on my DMZ, and in turn, I have a script on a trusted LAN server that reaches into this server (using trusted keys), runs a script there; assembles all uploaded files, and copies them into the trusted LAN. (which this list helped me out hugely, a few years back, so thanks!) And I would need to make sure I don't mess that up.

Anyway, cipher disallowing thoughts?

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --