View all Worklets
Linux

Disable Weak SSHD Algorithms

Disables inept SSHD algorithms on Linux's OpenSSH service.

Worklet Details

Introduction to the Bash-Based Disable Weak SSHD Algorithms Worklet

The Disable Weak SSHD Algorithms Worklet is designed for Linux systems and focuses on improving security by disabling weak SSH ciphers. It ensures that only strong and secure algorithms are utilized in SSH servers, mitigating the risks of security vulnerabilities that may arise due to weak ciphers.

The Worklet is Bash-baed and designed for Linux systems. By automating the process of disabling weak algorithms, this Worklet saves time and ensures consistent configuration across multiple devices.

Why would you use the Disable Weak SSHD Algorithms Worklet?

Weak ciphers can be exploited by attackers to gain unauthorized access to a system or intercept sensitive data transmitted over an encrypted channel. Many Linux distributions come with default settings that enable these weak ciphers for compatibility reasons.

System administrators need to assess their environments and disable such weak ciphers manually, which can be time-consuming and error-prone.

The Disable Weak SSHD Algorithms Worklet helps automate this process, ensuring that your OpenSSH service is configured with a strong set of encryption algorithms while minimizing the risk of human error. It also helps maintain uniform security configurations across all your Linux devices.

Components of the Disable Weak SSHD Algorithms Worklet

This Worklet is composed of two components: an evaluation script (to check if any weak algorithms are enabled) and a remediation script (to disable them). The evaluation script uses `sshd -T` command along with `grep` to identify if any weak ciphers or key exchange algorithms are present in the sshd configuration file (/etc/ssh/sshd_config).

If there are any matches found, it returns a non-zero value indicating that action is required.

On successful detection of weak algorithms enabled on your Linux device, you can run the remediation script included in this Worklet. The remediation script appends a definitive list of strong ciphers and key exchange algorithms to the sshd configuration file and restarts the SSH service using `service sshd restart`.

How does the Disable Weak SSHD Algorithms Worklet work?

The Disable Weak SSHD Algorithms Worklet functions by first checking if any weak ciphers, MACs, or key exchange algorithms are enabled in the OpenSSH service. The evaluation script searches for matching keywords related to weak algorithms such as "sha1," "rc4," "arcfour," "md5," "blowfish," "idea," "3des," "cast128," and "cbc."

The presence of these keywords indicates that weak algorithms are enabled.

Once weak algorithms have been identified, the remediation script updates the sshd configuration file with an explicit list of strong encryption algorithms. These include ChaCha20-Poly1305, AES256-GCM, AES128-GCM, Curve25519-SHA256, and Diffie-Hellman Group Exchange SHA-256. As a final step, it restarts the OpenSSH service to apply these changes.

What is the expected outcome when you use the Disable Weak SSHD Algorithms Worklet?

Upon successful completion of this Worklet, all weak ciphers, MACs, and key exchange algorithms will be disabled from your OpenSSH service. Your Linux devices will now utilize only strong and secure encryption methods when establishing ssh connections.

This significantly reduces security vulnerabilities associated with weak ciphers while ensuring better confidentiality and data integrity during encrypted communications.

With consistent security configurations across your Linux endpoints, you can maintain a robust defense against potential threats targeting weaker encryption methods.

View in app

Consider Worklets your easy button

What's a Worklet?

A Worklet is an automation script, written in Bash or PowerShell, designed for seamless execution on endpoints – at scale – within the Automox platform. Worklet automation scripts perform configuration, remediation, and the installation or removal of applications and settings across Windows, macOS, and Linux.

do more with worklets