Skip to main content

Remediation Steps

Follow the steps below to remediate this finding on Linux (Debian/Ubuntu).

  1. Edit /etc/ssh/sshd_config and restrict the Ciphers directive to exclude CBC mode ciphers:

    Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com

  2. Restart the SSH service:

    sudo systemctl restart ssh

  3. Verify with:

    ssh -Q cipher localhost
Back to top