How do I remove SSH ciphers on my Amazon EC2 Linux instance to meet security requirements?

5 minute read
0

I want to remove specific SSH (Secure Shell) ciphers on my Amazon Elastic Compute Cloud (Amazon EC2) Linux instance to meet security requirements.

Short description

To maintain a secure environment on your Amazon EC2 Linux instances, remove the insecure SSH ciphers. Then, configure SSH to use only cryptographic algorithms.

Resolution

Prerequisite: Determine if your system supports crypto policies. Amazon Linux 2023 instances use the crypto policy feature to manage cryptographic settings. For more information about distributions that support crypto policies, see (8) update-crypto-policies on the Ubuntu website, or System-wide cryptographic policies on the Red Hat Enterprise Linux (RHEL) website.

To check if your system supports crypto policies, use SSH, Amazon EC2 Instance Connect, or Session Manager, a capability of AWS Systems Manager, to connect to your instance. Then, run the following command:

[user@localhost] # update-crypto-policies --show

If you see an output that's similar to the following example, then your system doesn't support crypto policies:

update-crypto-policies: command not found

If your system supports crypto policies, then you see one of the following outputs:

LEGACY
DEFAULT
FUTURE
FIPS

Manually remove SSH ciphers

If your Linux system doesn't support crypto policies, then modify the sshd_config file to manually remove SSH ciphers.

To modify the sshd_config file, complete the following steps:

  1. Create an Amazon Machine Image (AMI) or Amazon Elastic Block Store (Amazon EBS) snapshot from the instance as a backup.

  2. Use SSH, EC2 Instance Connect, or Session Manager to log in to the instance.

  3. To switch to the root user, run the following command:

     [user@localhost] # sudo -i
  4. To find the ciphers that are activated on the system, run the following command:

    [root@localhost] # sshd -T | grep 'ciphers'
  5. Note the list in the output, and then remove the insecure ciphers.

  6. To navigate to the directory /etc/ssh/, run the following command:

    [root@localhost] # cd /etc/ssh/
  7. To create a backup of the sshd_config file, run the following command:

    [root@localhost] # cp sshd_config sshd_config.bak
  8. To open the sshd_config file in a text editor, run the following command:

    [root@localhost] # vi sshd_config
  9. Check that the file includes a ciphers section that's similar to the following:

    ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
  10. If the ciphers section is in the file, then edit it to remove the insecure ciphers. If there's no ciphers section, then add the ciphers list to the end of the file.

  11. Save the file and quit.

  12. To apply the changes, run the following command to restart the SSHD process:

    [root@localhost] # service sshd restart
  13. To check that the changes are applied in the updated cipher list, run the following command:

    [root@localhost] # sshd -T | grep 'ciphers'

Remove insecure Kex algorithms

To remove insecure key exchange (Kex) algorithms, complete the following steps:

  1. Create an Amazon Machine Image (AMI) or an Amazon EBS snapshot from the instance as a backup.

  2. Use SSH, EC2 Instance Connect, or Session Manager to log in to the instance.

  3. To find the currently activated Kex algorithms, run the following command:

    [root@localhost] # sshd -T | grep 'kex'
  4. To find the ciphers that are activated on the system, run the following command:

    [root@localhost] # sshd -T | grep 'ciphers'
  5. Note the list in the output, and then remove the insecure ciphers.

  6. To navigate to the directory /etc/ssh/, run the following command:

    [root@localhost] # cd /etc/ssh/
  7. To create a backup of the sshd_config file, run the following command:

    [root@localhost] # cp sshd_config sshd_config.bak
  8. Remove the insecure algorithms from the line that starts with KexAlgorithms.

  9. Check that the file includes a ciphers section that's similar to the following:

    ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
  10. If the ciphers section is in the file, then edit it to remove the insecure ciphers. If there's no ciphers section, then add the ciphers list to the end of the file.

  11. Save the file and quit.

  12. To check that the changes are applied, run the following command:

    [root@localhost] # sshd -T | grep 'kex'

Use crypto policies to remove ciphers

If your system supports crypto policies and you use a previously generated profile, then complete the following steps:

  1. To check the available crypto profiles on your distribution, run the following command:

    [user@localhost] # ls /usr/share/crypto-policies/policies
  2. To change the policy setting for the system, run the following command:

    [user@localhost] # sudo update-crypto-policies --set POLICY_NAME

    Note: Replace POLICY_NAME with the name of your policy, such as FUTURE.

  3. Run the following command to reboot the system for the new policy to take effect:

    [user@localhost] # sudo reboot
  4. Run the following command to check that the new policy is activated:

    [user@localhost] # sudo update-crypto-policies --show

If the previously generated policies don't meet your security requirements, then create a custom policy for crypto policies.

To create a custom policy, complete the following steps:

  1. Copy the policy:

    [user@localhost] # sudo cp /usr/share/crypto-policies/policies/DEFAULT.pol /etc/crypto-policies/policies/POLICY_NAME.pol
  2. Edit the new policy file in a text editor and remove ciphers that you don't want the system to use:

    [user@localhost] # sudo vi /etc/crypto-policies/policies/POLICY_NAME.pol
  3. Save the file and exit.

  4. Run the following command to update the policy setting for the system:

    [user@localhost] # sudo update-crypto-policies --set POLICY_NAME
  5. Run the following command to reboot the system for the new policy to take effect:

    [user@localhost] # sudo reboot
  6. Run the following command to check that the new policy is activated:

    [user@localhost] # sudo update-crypto-policies --show

Related information

Default SSH server configuration

Enable FIPS Mode on AL2023

AWS OFFICIAL
AWS OFFICIALUpdated a month ago