Archive for May, 2017

CentOS – disable ciphers in openssh

I used the following procedure to disable the weak ciphers enabled in openssh on CentOS 7:

You could probably guess where you this should be configured, but one of the challenges can be getting of complete list of what is supported.

Get a list of supported ciphers:

# ssh -Q cipher
3des-cbc
blowfish-cbc
cast128-cbc
arcfour
arcfour128
arcfour256
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com

To disable one or more, you need to explicitly specify the ciphers you do want to use. For example, arcfour:

# vi /etc/ssh/sshd_config

Ciphers 3des-cbc,blowfish-cbc,cast128-cbc,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com

And then, restart sshd:

# systemctl restart sshd

And check:

$ ssh -c arcfour localhost
no matching cipher found: client arcfour server 3des-cbc,blowfish-cbc,cast128-cbc,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com

Remotely enable RDP.

Download psexec.exe to run commands remotely on the remote machine.

Once installed, run psexec to bring up a command prompt on the remote machine:
C:\Tools> psexec \\remotecomputer cmd

Turn off the firewall:
C:\Windows\system32> netsh advfirewall set currentprofile state off

Create a rule to allow Remote Desktop through the firewall:
C:\Windows\system32> netsh advfirewall firewall set rule group=”Remote Desktop Access: new enable=Yes

These netsh commands will return an “Ok!” when successful.

Next ensure that the “Remote Registry” service is started, so you can modify the registry to enable Remote Desktop:
C:\Windows\system32> net start “Remote Registry”

Then, from your local machine open regedit and select File/Connect Network Registry…
Enter the name or I.P. address of the remote machine.
Once connected, navigate to “REMOTEMACHINE\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server”
Then, double click fDenyTSConnections and change it from a 1 to a 0.

Then, back on your psexec session restart the “Remote Desktop Services” service:
C:\Windows\system32> net stop “Remote Desktop Services”
C:\Windows\system32> net start “Remote Desktop Services”

Now, you should be able to connect, and still connect after rebooting if you set the “Remote Desktop Services” service to Automatic so it starts at boot.

Return top

INFORMATION