05-30-2022 01:44 PM
Dear,
I would like to know, based on the provider's good security practices, what it is recommended to establish as a security algorithm.
Leave the CBC or CTR
IP ssh server algorithm encryption aes128-cbc 3des-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr
05-31-2022 12:05 AM
@Servicio Tac use CTR as you preferred SSH crypto algorithm, possibly with CBC as failback - though most SSH clients would support CTR.
You should definately removed 3DES.
07-15-2022 07:07 AM
Hello!
Like Mr. Ingram said, absolute remove 3des. However, I would remove CBC algorithms; They're typically problematic during security audits, as the Initialization Vector (IV) is not randomized as it should be.
I would reissue the command like this:
ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr
WHY: You always want to put your strongest algorithms first, as typical systems will attempt to use the first ones presented first. If you wanted to go a bit more secure but risk "compatibility" (as system not supporting one of the algorithms), you could also trim off aes128-ctr (though this is not recommended as AES128 is still considered a "safe" algorithm).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide