How to Check and Disable SSH Ciphers on TX-Series Devices

This article provides step-by-step instructions to display currently enabled SSH ciphers on Trend Micro TX-Series devices and how to disable weak or deprecated ciphers to enhance security.

1. Check Currently Enabled SSH Ciphers

To view all enabled SSH ciphers on the TX-Series appliance, access the device CLI and run the following command:

debug ssh ciphers show

This command will list all SSH ciphers currently enabled on the device. Review this list carefully and look for weak or deprecated ciphers, especially CBC-mode ciphers such as aes128-cbc and aes256-cbc, which are known to have vulnerabilities.

2. Disable Weak or Deprecated SSH Ciphers

If you identify any weak ciphers in the list, you can disable them immediately using the commands below:

debug ssh ciphers aes128-cbc disable

debug ssh ciphers aes256-cbc disable

Repeat the disable command format for any additional ciphers flagged by vulnerability assessments or internal security policies.

Important Notes:

• Disabling SSH ciphers takes effect immediately without needing to restart the device.
• Exercise caution when disabling ciphers, as doing so may interrupt active SSH sessions that rely on those ciphers.

Summary

Regularly auditing and disabling weak SSH ciphers on TX-Series devices ensures stronger cryptographic security and helps protect the device management interface from potential vulnerabilities.

For further assistance or advanced configuration options related to SSH or cryptographic settings, please contact Trend Micro support.