Today I discovered a terrific website for checking an SSH server’s configuration: sshcheck. Point sshcheck at an SSH server and it will produce a report about the server’s key exchange, encryption, and MAC algorithms, indicating if any are considered insecure.
Once I had an idea of what needed to be fixed, I cross-checked settings with Mozilla’s OpenSSH Security Guidelines.
What I ended up with for my own server:
KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
MACs hmac-sha2-512,hmac-sha2-256,[email protected]
Ciphers [email protected],[email protected],[email protected],aes256-ctr
The Mozilla guide also includes suggestions on how to configure an SSH client to use a restricted set of secure algorithms.