======5.2.11 Ensure only approved ciphers are used (Scored)======
=====Profile Applicability=====  
<code>
Level 1 - Server
Level 1 - Workstation 
</code>

=====Description=====
This variable limits the types of ciphers that SSH can use during communication.

=====Rationale=====
Based on research conducted at various institutions, it was determined that the symmetric portion of the SSH Transport Protocol (as described in RFC 4253) has security weaknesses that allowed recovery of up to 32 bits of plaintext from a block of ciphertext that was encrypted with the Cipher Block Chaining (CBD) method. From that research, new Counter mode algorithms (as described in RFC4344) were designed that are not vulnerable to these types of attacks and these algorithms are now recommended for standard use.

=====Audit===== 
Run the following command and verify that output does not contain any cipher block chaining (-cbc) algorithms:
<Code:bash>
# grep "Ciphers" /etc/ssh/sshd_config 
Ciphers aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com
</Code>

=====Remediation===== 
Edit the ''/etc/ssh/sshd_config'' file to set the parameter as follows:
<Code:bash>
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
</Code>

=====References===== 
For more information on the Counter mode algorithms, read RFC4344 at http://www.ietf.org/rfc/rfc4344.txt

=====Notes===== 
Some organizations may have stricter requirements for approved ciphers. Ensure that ciphers used are in compliance with site policy.