To disable RC4 and use secure ciphers on SSH server, hard-code the following in /etc/ssh/sshd_config
ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
OR if you prefer not to dictate ciphers but merely want to strip out insecure ciphers, run this on the command line instead (in sudo mode):
sshd -T | grep ciphers | sed -e "s/\(3des-cbc\|aes128-cbc\|aes192-cbc\|aes256-cbc\|arcfour\|arcfour128\|arcfour256\|blowfish-cbc\|cast128-cbc\|[email protected]\)\,\?//g" >> /etc/ssh/sshd_config
You can check ciphers currently used by your server with:
sudo sshd -T |grep| grep ciphers | perl -pe 's/,/\n/g' | sort -u
Make sure your ssh client can use these ciphers, run ssh -Q cipher
ssh -Q cipher | sort -u
to see the list.
You can also instruct your SSH client to negotiate only secure ciphers with remote servers. In /etc/ssh/ssh_config set:
Host *
ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
Above snippets come from here
To test your server's settings you can use ssh-audit
