5.2.11 Ensure only approved ciphers are used (Scored)

Level 1 - Server
Level 1 - Workstation 

This variable limits the types of ciphers that SSH can use during communication.

Based on research conducted at various institutions, it was determined that the symmetric portion of the SSH Transport Protocol (as described in RFC 4253) has security weaknesses that allowed recovery of up to 32 bits of plaintext from a block of ciphertext that was encrypted with the Cipher Block Chaining (CBD) method. From that research, new Counter mode algorithms (as described in RFC4344) were designed that are not vulnerable to these types of attacks and these algorithms are now recommended for standard use.

Run the following command and verify that output does not contain any cipher block chaining (-cbc) algorithms:

# grep "Ciphers" /etc/ssh/sshd_config 
Ciphers aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com

Edit the /etc/ssh/sshd_config file to set the parameter as follows:

Ciphers aes256-ctr,aes192-ctr,aes128-ctr

For more information on the Counter mode algorithms, read RFC4344 at http://www.ietf.org/rfc/rfc4344.txt

Some organizations may have stricter requirements for approved ciphers. Ensure that ciphers used are in compliance with site policy.