February 2020
Intermediate to advanced
666 pages
15h 45m
English
Content preview from Mastering Linux Security and Hardening - Second Edition
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Disabling weak SSH encryption algorithms
The ssh_scan tool is very nifty and very handy, but it does have one slight drawback. It does a great job of showing you which encryption algorithms are enabled on remote machines, but you just can't trust its recommendations about what to enable or disable. The problem is that the Mozilla Foundation created this tool to satisfy their own internal needs, rather than to conform with either the FIPS or the NIST CNSA standards. A good example of its bad recommendations is when it tells you to enable any 192-bit algorithms. That's a big no-no if you're looking to make your servers compliant with accepted best security practice. So, the best way to use the tool is to run the scan and then compare the results ...