How do I remove SSH ciphers on my Amazon EC2 Linux instance to meet security requirements?
I want to remove specific SSH (Secure Shell) ciphers on my Amazon Elastic Compute Cloud (Amazon EC2) Linux instance to meet security requirements.
Short description
To maintain a secure environment on your Amazon EC2 Linux instances, remove the insecure SSH ciphers. Then, configure SSH to use only cryptographic algorithms.
Resolution
Prerequisite: Determine if your system supports crypto policies. Amazon Linux 2023 instances use the crypto policy feature to manage cryptographic settings. For more information about distributions that support crypto policies, see (8) update-crypto-policies on the Ubuntu website, or System-wide cryptographic policies on the Red Hat Enterprise Linux (RHEL) website.
To check if your system supports crypto policies, use SSH, Amazon EC2 Instance Connect, or Session Manager, a capability of AWS Systems Manager, to connect to your instance. Then, run the following command:
[user@localhost] # update-crypto-policies --show
If you see an output that's similar to the following example, then your system doesn't support crypto policies:
update-crypto-policies: command not found
If your system supports crypto policies, then you see one of the following outputs:
LEGACY DEFAULT FUTURE FIPS
Manually remove SSH ciphers
If your Linux system doesn't support crypto policies, then modify the sshd_config file to manually remove SSH ciphers.
To modify the sshd_config file, complete the following steps:
-
Create an Amazon Machine Image (AMI) or Amazon Elastic Block Store (Amazon EBS) snapshot from the instance as a backup.
-
Use SSH, EC2 Instance Connect, or Session Manager to log in to the instance.
-
To switch to the root user, run the following command:
[user@localhost] # sudo -i
-
To find the ciphers that are activated on the system, run the following command:
[root@localhost] # sshd -T | grep 'ciphers'
-
Note the list in the output, and then remove the insecure ciphers.
-
To navigate to the directory /etc/ssh/, run the following command:
[root@localhost] # cd /etc/ssh/
-
To create a backup of the sshd_config file, run the following command:
[root@localhost] # cp sshd_config sshd_config.bak
-
To open the sshd_config file in a text editor, run the following command:
[root@localhost] # vi sshd_config
-
Check that the file includes a ciphers section that's similar to the following:
ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
-
If the ciphers section is in the file, then edit it to remove the insecure ciphers. If there's no ciphers section, then add the ciphers list to the end of the file.
-
Save the file and quit.
-
To apply the changes, run the following command to restart the SSHD process:
[root@localhost] # service sshd restart
-
To check that the changes are applied in the updated cipher list, run the following command:
[root@localhost] # sshd -T | grep 'ciphers'
Remove insecure Kex algorithms
To remove insecure key exchange (Kex) algorithms, complete the following steps:
-
Create an Amazon Machine Image (AMI) or an Amazon EBS snapshot from the instance as a backup.
-
Use SSH, EC2 Instance Connect, or Session Manager to log in to the instance.
-
To find the currently activated Kex algorithms, run the following command:
[root@localhost] # sshd -T | grep 'kex'
-
To find the ciphers that are activated on the system, run the following command:
[root@localhost] # sshd -T | grep 'ciphers'
-
Note the list in the output, and then remove the insecure ciphers.
-
To navigate to the directory /etc/ssh/, run the following command:
[root@localhost] # cd /etc/ssh/
-
To create a backup of the sshd_config file, run the following command:
[root@localhost] # cp sshd_config sshd_config.bak
-
Remove the insecure algorithms from the line that starts with KexAlgorithms.
-
Check that the file includes a ciphers section that's similar to the following:
ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
-
If the ciphers section is in the file, then edit it to remove the insecure ciphers. If there's no ciphers section, then add the ciphers list to the end of the file.
-
Save the file and quit.
-
To check that the changes are applied, run the following command:
[root@localhost] # sshd -T | grep 'kex'
Use crypto policies to remove ciphers
If your system supports crypto policies and you use a previously generated profile, then complete the following steps:
-
To check the available crypto profiles on your distribution, run the following command:
[user@localhost] # ls /usr/share/crypto-policies/policies
-
To change the policy setting for the system, run the following command:
[user@localhost] # sudo update-crypto-policies --set POLICY_NAME
Note: Replace POLICY_NAME with the name of your policy, such as FUTURE.
-
Run the following command to reboot the system for the new policy to take effect:
[user@localhost] # sudo reboot
-
Run the following command to check that the new policy is activated:
[user@localhost] # sudo update-crypto-policies --show
If the previously generated policies don't meet your security requirements, then create a custom policy for crypto policies.
To create a custom policy, complete the following steps:
-
Copy the policy:
[user@localhost] # sudo cp /usr/share/crypto-policies/policies/DEFAULT.pol /etc/crypto-policies/policies/POLICY_NAME.pol
-
Edit the new policy file in a text editor and remove ciphers that you don't want the system to use:
[user@localhost] # sudo vi /etc/crypto-policies/policies/POLICY_NAME.pol
-
Save the file and exit.
-
Run the following command to update the policy setting for the system:
[user@localhost] # sudo update-crypto-policies --set POLICY_NAME
-
Run the following command to reboot the system for the new policy to take effect:
[user@localhost] # sudo reboot
-
Run the following command to check that the new policy is activated:
[user@localhost] # sudo update-crypto-policies --show
Related information
Relevant content
- asked 10 months agolg...
- asked a year agolg...
- asked 9 months agolg...
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 4 years ago