Disable SSH Weak MAC Algorithms in Linux

July 14, 2021

NESSUS tool found below vulnerability in a Linux server.

71049 – SSH Weak MAC Algorithms Enabled

 

Synopsis

The remote SSH server is configured to allow MD5 and 96-bit MAC algorithms.

 

Description

The remote SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak.

Note that this plugin only checks for the options of the SSH server, and it does not check for vulnerable software versions.

Solution

Disable SSH Weak MAC Algorithms in Linux

Follow the steps given below to disable ssh weak MAC algorithms in a Linux server:

  • Edit the default list of MACs by editing the /etc/ssh/sshd_config file and remove the hmac-md5 hmac-md5-96 hmac-sha1-96 MACs from the list. 
    # vi /etc/ssh/sshd_config

.
.
macs hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com
.
.
  • Save the file and restart the ssh service using the below command. 
    # service sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd:                                             [  OK  ]
  • Once that was done and sshd was restarted, you can check the list of MACs by using the below command: 
    # sshd -T |grep macs
macs hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com
  • After disabling weak MACs if you try ssh using these weak MACs, you will get the below message: 
    # ssh -oMACs=hmac-md5 <server>
no matching mac found: client hmac-md5 server hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com
  • Now, weak MACs have been disabled on your Linux system.
Last Updated: July 14, 2021
Tags:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.