NethServer Version: 7.8.2003
/etc/ssh/sshd_config contains NO cipher definitions, leaving SSHD to pick/use the defaults. Since the SSH server is configured to support Cipher Block Chaining (CBC) encryption, this may allow an attacker to recover the plaintext message from the ciphertext.
The cockpit doesn’t have any allowance for cipher selections or a ‘secure’ profile. Curiously, you [NS] recommend changing the port instead of using the fail2ban app, and don’t have any method to dismiss the alert presented. It’s an unusual way to face security.
No allowance is made to adjust ciphers here.
Solution: edit the /etc/ssh/sshd_config file to add a line:
Unfortunately, this will get overwritten if anyone adjusts the daemon through the gui.
Recommendation: Just add the ciphers line as part of a security patch. Alternately, add a check mark to use more secure ciphers.
On a personal note, I think security through obscurity is bad. If the problem (ciphers, tls, whatever) is fixed/hardened, then there’s no need to use a non-standard port.