Last weekend I decided to update my
sshd_config to include a very limited set of ciphers, MACs and key exchange algorithms. I did this to tighten the security of my
sshd and not because I wanted to prevent bots from trying (and failing) to log in to my servers. I’m already using fail2ban for that.
However, after I updated my configuration I noticed failed login attempts basically dropped to zero, because all these bots do not support my very restrictive set of ciphers.
Ciphers [email protected],[email protected] MACs [email protected],[email protected],[email protected] KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
In order to use these settings, you need a recent version of OpenSSH. I’m running 6.6 locally and on my servers, the minimum version that supports these settings is 6.4.
After these changes your
auth.log will probably contain this line rather often:
fatal: no matching cipher found: client aes128-ctr,aes192-ctr,aes256-ctr,aes256-cbc,[email protected],aes192-cbc,aes128-cbc,blowfish-cbc,arcfour128,arcfour,cast128-cbc,3des-cbc server [email protected],[email protected] [preauth]
Please keep in mind that this will not prevent bots from attacking you (in the future) and that you have to mitigate these attacks by other means. I only wrote this post because I thought it was kind of interesting that SSH bots do not support these settings right now.