Common Criteria SSH – restrict ciphers, key exchange method and drop SSH packets within certain range

1. Open ssh_config / sshd_config  – the first file is the configuration file for the client, the second is for the  daemon (SSH server).

2. Uncomment Ciphers section and leave it as:

Ciphers  aes128-cbc,aes256-cbc

This will ensure that only aes128 and aes256-cbc ciphers will be used.

3. Add the following line:

KexAlgorithms diffie-hellman-group14-sha1

This will ensure that this will be the only supported key exchange method.

4. To drop SSH packets with certain size you can always use the good old iptables:

iptables -A INPUT -p tcp -m length --length 1400:1500 --dport 22 -j DROP

This will drop all incoming packets with size between 1400 and 1500 for port 22 (the SSH port).


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s