环境：Centos7.9

扫描软件: Nessus

结果:

解决方法:

1.[root@cdb19 ssh]# vim /etc/ssh/sshd_config

原来是

# Ciphers and keying

#RekeyLimit default none

改为(添加后两行)

# Ciphers and keying

#RekeyLimit default none

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour

Macs hmac-sha1,hmac-ripemd160

2.重启sshd  

[root@cdb19 ssh]# systemctl restart sshd

验证方法:

使用Nmap验证

nmap --script ssh2-enum-algos -sV -p 22  目标IP

更改前:

[root@gacoratest001 ~]# nmap --script ssh2-enum-algos -sV -p 22 10.8.98.150

Starting Nmap 5.51 ( http://nmap.org ) at 2021-08-10 11:55 CST

mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers

Nmap scan report for 10.8.98.150

Host is up (0.0010s latency).

PORT   STATE SERVICE VERSION

22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)

| ssh2-enum-algos: 

|   kex_algorithms (12)

|       curve25519-sha256

|       curve25519-sha256@libssh.org

|       ecdh-sha2-nistp256

|       ecdh-sha2-nistp384

|       ecdh-sha2-nistp521

|       diffie-hellman-group-exchange-sha256

|       diffie-hellman-group16-sha512

|       diffie-hellman-group18-sha512

|       diffie-hellman-group-exchange-sha1

|       diffie-hellman-group14-sha256

|       diffie-hellman-group14-sha1

|       diffie-hellman-group1-sha1

|   server_host_key_algorithms (5)

|       ssh-rsa

|       rsa-sha2-512

|       rsa-sha2-256

|       ecdsa-sha2-nistp256

|       ssh-ed25519

|   encryption_algorithms (12)

|       chacha20-poly1305@openssh.com

|       aes128-ctr

|       aes192-ctr

|       aes256-ctr

|       aes128-gcm@openssh.com

|       aes256-gcm@openssh.com

|       aes128-cbc

|       aes192-cbc

|       aes256-cbc

|       blowfish-cbc

|       cast128-cbc

|       3des-cbc

|   mac_algorithms (10)

|       umac-64-etm@openssh.com

|       umac-128-etm@openssh.com

|       hmac-sha2-256-etm@openssh.com

|       hmac-sha2-512-etm@openssh.com

|       hmac-sha1-etm@openssh.com

|       umac-64@openssh.com

|       umac-128@openssh.com

|       hmac-sha2-256

|       hmac-sha2-512

|       hmac-sha1

|   compression_algorithms (2)

|       none

|_      zlib@openssh.com

MAC Address: 00:50:56:9D:BD:11 (VMware)

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds

更改后

|   encryption_algorithms (6)

|       aes128-ctr

|       aes192-ctr

|       aes256-ctr

|       arcfour256

|       arcfour128

|       arcfour