Audit Ubuntu SSH for Weak Ciphers and MACs

Securing your Ubuntu SSH server requires identifying and disabling obsolete cryptographic algorithms. This guide provides a straightforward walkthrough on how to audit your Ubuntu Linux SSH server configuration for weak ciphers and Message Authentication Codes (MACs), check your active settings, use automated auditing tools, and update your configuration to enforce modern security standards.

Step 1: View Currently Enabled Ciphers and MACs

Before making changes, check which algorithms your SSH daemon (sshd) currently supports and accepts. Run the following commands to output the active configuration:

To view configured ciphers:

sshd -T | grep ciphers

To view configured MACs:

sshd -T | grep macs

The output will display a comma-separated list of algorithms. If you see weak algorithms like 3des-cbc, aes128-cbc, hmac-md5, or hmac-sha1, your server is vulnerable to cryptographic attacks.

Step 2: Scan the SSH Server Using ssh-audit

An effective way to audit your SSH server is by using ssh-audit, an open-source tool that scans SSH servers for weak configuration settings, outdated algorithms, and security vulnerabilities.

Install ssh-audit

On modern Ubuntu systems, you can install it directly via the package manager:

sudo apt update
sudo apt install ssh-audit

Alternatively, you can run it using Python if the package is not in your repository:

wget https://github.com/jtesta/ssh-audit/releases/latest/download/ssh-audit.py
chmod +x ssh-audit.py

Run the Scan

Run the tool against your local or remote SSH port (default is 22):

ssh-audit localhost

The output will color-code the results. Green indicates secure algorithms, yellow indicates warning-level algorithms (often kept for legacy compatibility), and red highlights critical vulnerabilities (weak ciphers/MACs) that must be disabled immediately.

Step 3: Disable Weak Ciphers and MACs

To secure your server, you must explicitly define only strong, modern algorithms in the SSH configuration file.

1. Open the SSH daemon configuration file with root privileges:

   sudo nano /etc/ssh/sshd_config

2. Scroll to the bottom of the file or look for existing Ciphers and MACs directives. If they do not exist, add the following lines to enforce secure, modern standards:

   # Secure Ciphers
   Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
   
   # Secure MACs
   MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com

3. Save the file and exit the editor (in nano, press Ctrl+O, Enter, then Ctrl+X).

Step 4: Test and Apply Configuration Changes

Always test your SSH configuration before restarting the service to ensure there are no syntax errors that could lock you out of the server.

Test the configuration file:

sudo sshd -t

If the command returns no output, the syntax is correct. You can now safely restart the SSH service to apply the changes:

sudo systemctl restart ssh

Step 5: Verify the Hardened Configuration

Re-run the audit tool to confirm that all weak ciphers and MACs have been successfully removed:

ssh-audit localhost

The report should now show only green ratings for your SSH ciphers and MACs, indicating a hardened SSH server configuration.