Nessus Output
Description
The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to recover the plaintext message from the ciphertext.
Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software versions.
Output from CentOS 7 system:
The following client-to-server Cipher Block Chaining (CBC) algorithms are supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc [email protected] The following server-to-client Cipher Block Chaining (CBC) algorithms are supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc [email protected]
Solution
Edit the /etc/ssh/sshd_config file to set the parameter as follows:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr |
and restart ssh
systemctl restart sshd |
References