Disable weak SSH/SSL ciphers on Cisco IOS (2023)

SSH

Network equipment manufacturers (all I think) who enable SSH v1 by default really annoys me. Most Windows users connect using Putty, which supports SSH v2. You need to set putty as the default for SSH V2:

MAC/Linux users use OpenSSh, which also supports SSH V2. On MAC/Linux, situations can arise where weak ciphers are used and OpenSSH is unable to connect.

You will see a message similar to

ssh mhubbard@10.20.1.7 Cannot negotiate with 10.20.1.7 port 22: no suitable key exchange method found. Your offer: diffie-hellman-group1-sha1

This is easy to solve:

1. Open the SSH configuration file - gedit ~/.ssh/config
2. Add the host IP and required ciphers. KEX is key exchange:
Host 10.20.1.7
Kex-Algorithmen +diffie-hellman-group1-sha1
3des-cbc-Figuren

On a very old switch I found a host key exchange algorithm I had never heard of: "ssh-dss". I had to add HostKeyAlgorithms=+ssh-dss to connect.

If you only log in to this device once or twice, you can use the following without changing the SSH configuration file:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 10.20.1.7

You can use the "-G" option and SSH will show you the ciphers offered by SSH:

ssh -G mhubbard@10.20.1.7

The OpenSSH website has a page dedicated to legacy ciphers
Ciphers inherited from openssh

Remove weak SSH algorithms

All commands shown are from a running 2960x:
Version 15.2(4)E8 - Major Deployment (MD) of March 18, 2019

First, let's look at the default SSH configuration.

mostrar ip ssh

SSH enabled - version 1.99
Authentication methods: public key, interactive keyboard, password
Authentication public key algorithms: x509v3-ssh-rsa,ssh-rsa
Hostschlüsselalgorithmen: x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbcc
MAC algorithms:hmac-sha1,hmac-sha1-96
Authentication timeout: 120 seconds; Authentication attempts: 3
Expected minimum key size for Diffie Hellman:1024 Bit
IOS key in SECSH format (ssh-rsa, base64 encoded): TP-self-signed-1676064512
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCjsPhP/zpPgra0d3wzzt8fDZnKL4sUtCh0DVmV0fH6
m+/Xke7IRMvxg2OEk333uHlKD+Ww6w8D2eMOzY7/R6edHA4UtKXwohJN1OZKS1ltL4tDSZSIeLO3juOL
GfxKBtvGd30Y2jzYYMmTQGP9u1VrKdQRKAU13/c+iOiQPi3Q4w==

"Version 1.99" means it supports SSH v1 and v2. We want to disable v1 and remove the cbc and 3Des ciphers. These are "Cipher Block Chain" algorithms and will cause an error during a penetration test.

In global configuration mode, enter:

ip ssh version 2 ! Disable V1ip ssh server encryption algorithm aes256-ctr aes128-ctrip ssh server algorithm mac hmac-sha1no ip ssh server algorithm mac hmac-sha1-96

You should also run the following to secure SSH

cryptographic key rsa module generate 4096 label SSH-KEYS!Note that generating 4096-bit keys can take up to 3 minutes.ip ssh rsa key pair name SSH-KEYS !Associate keys with SSH!Minimum bit size for the Set connection from client IP ssh i.e. minimum size 2048

Let's see what SSH looks like now:

mostrar ip ssh

SSH enabled - version 2.0
Authentication methods: public key, interactive keyboard, password
Authentication public key algorithms: x509v3-ssh-rsa,ssh-rsa
Hostschlüsselalgorithmen: x509v3-ssh-rsa,ssh-rsa
ssh ip server algorithm encryptionaes256-ctr aes128-ctr
MAC algorithms:hmac-sha1
Authentication timeout: 120 seconds; Authentication attempts: 3
Expected minimum key size for Diffie Hellman:2048 Bit
IOS key in SECSH format (ssh-rsa, base64-encoded): SSH-KEYS
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5KQxmPn8tyfK+9fq6NC75whEQD02Poopz9SE/SKeP
ibO8KM7kSVdwy7anUhmgiX5jGmpecTFoP+txdA+KuEszAL5x8aeNZsPAykqBU6JClIz3fnMKjgoIqFlZ
mwhL0Qow4OGrd52EkRNRxAc2TYpBr5p0ICdaxeHd7etzgXjkwcZpQ1e2kqvV9XU94LBO1R93AgYYLCsT
nFsKga4tvvikXqKuwe3tfWKzNfO4LY1mZE9FXecoNW0Kb8p4U/pO/w69oEbHmmH7BfgWSHCCVZlgBhcf
DtJa+oVnqHrMwVza+ViTMQLghvt63zewvTN2I235K6W+GhgUmx6p+Q62Rsrfrc+4K5ECVKNf7fzmlg6X
Zs+P3WKgP8rh2z7ObTT917pp1VXw4pUkeqCCtMEmkiICO0TzU1dXyuoEPNGeES8wxYOSdaMA0DGEL34p
Ccb6hb1RQbHjSjQZfDOXaZ0UwXtVJ07v7PR7fOhFHem58w2P+qmCwnEYFZrZhizR1y1SUDxs6Z7vZV98
cyoTo98dWG4WDGiHM1loLq3SA3OMfceq5g2waPVBNmpZlzXitCTern1bZ15zdLvhxY1589A/TaSZuMeP
lhjQ1mlYp3qf0Jt7eoaWNPRV/i0VUaRfxNBefiNBI5pS8ybj3bhfWpZe8QOOMAHRahAPPI9PasOBuMHR

In 2020, that's still pretty bad, but read on! Cisco added newer ciphers and removed some obsolete ciphers in newer IOS versions. You can check what's available in your version using:

test(config)#ip ssh server algorithm encryption ?

3des-cbc Three button 3DES in CBC mode
aes128-cbc 128-bit AES without CBC mode
aes128-ctr AES with 128-bit key in CTR mode
aes192-cbc AES mit 192 Bit ohne Modo CBC
aes192-ctr AES with 192-bit key in CTR mode
aes256-cbc AES mit 256 Bits ohne Modo CBC
aes256-ctr AES com chave de 256 bits no modo CTR

test(config)#ip ssh server algoritmo mac ?

hmac-sha1 HMAC-SHA1 (summary length = key length = 160 bits)
hmac-sha1-96 HMAC-SHA1-96 (summary length = 96 bits, key length = 160 bits)

If you look at the authentication in the output, you'll see that public key is an option. I wrote a blog showing how to use SSH keys instead of passwords -
Authentication to Cisco devices with SSH keys

Bad SSL ciphers

First, let's look at the current secure server settings. To view all possible secure server configurations:

sh-ip-server http

all HTTP server all information
connection HTTP server connection information
External external HTTP record
history HTTP-Serververlaufsinformationen
Secure HTTP server status information
Session Module Information about the session module of the HTTP server application
The statistics The statistical information of the HTTP server
status Information about the status of the HTTP server

sh ip server http alle 

HTTP Server Status: Disabled
HTTP-Serverport: 80
HTTP server authentication method: local
HTTP server access class: 0
Basispfad des HTTP-Servers: flash:/c2960x-universalk9-mz.152-4.E8/html
HTTP-Server-Hilfe-Root:
Maximum number of simultaneous server connections allowed: 16
Maximum number of secondary server connections allowed: 5
Server inactivity timeout: 180 seconds
Server lifetime limit: 180 seconds
Server session inactivity timeout: 180 seconds
Maximum allowed number of requests for a connection: 25
Active HTTP server session modules: ALL
HTTP Secure Server Capability: Present
Secure HTTP Server Status: Enabled
HTTP server secure port: 443
HTTP security server cipher set:e-aes-128-cbc-sha e-aes-256-cbc-sha
edche-rsa-aes-256-cbc-sha edche-rsa-rc4-128-sha
HTTP Secure Server Client Authentication: Disabled
HTTP Security Server Trust Point:
HTTP Secure Server Active Session-Module: ALLE

To see who is connected to the switch over TLS:

sh ip HTTP-Serververbindung

Current HTTP server connections:
local-ipaddress:port remote-ipaddress:porta In-Bytes Out-Bytes
192.168.10.31:443 192.168.10.211:55014 1394 586227

View available current cipher suites

ip http secure encryption ?

aes-128-cbc-sha Kryptografischer Typ tls_rsa_with_aes_cbc_128_sha
series of figures
aes-256-cbc-sha Kryptografischer Typ tls_rsa_with_aes_cbc_256_sha
series of figures
and-aes-128-cbc-sha Cryptography type tls_dhe_rsa_with_aes_128_cbc_sha
set of numbers
and-aes-256-cbc-sha Cryptography type tls_dhe_rsa_with_aes_256_cbc_sha
series of figures
edche-rsa-aes-256-cbc-sha Cryptography type tls_ecdhe_rsa_aes_256_cbc_sha
series of figures
edche-rsa-rc4-128-sha encryption type tls_ecdhe_rsa_rc4_128_sha
series of figures
null-sha Type der Cryptography tls_rsa_with_null_sha ciphersuite

Note that rc4 and null are supported!

To check what the switch offers, I ran the nmap ssl-cert and ciphers script.

sudo nmap --script ssl-cert,ssl-enum-ciphers -p 443 192.168.10.31

Nmap scan report for 10.241.3.40
Host is up, received TTL 254 echo reply (0.10 sec latency).
Scanned on 06/18/2020 3:28:06 PDT for 3s

REASON FOR PORT STATE SERVICE
443/tcp aberto https syn-ack ttl 254
| ssl-cert: Betreff: commonName=IOS-Self-Signed-Certificate-1302447744
| Emissor: commonName=IOS-Self-Signed-Certificate-1302447744
🇧🇷 Public key type: rsa
🇧🇷 Public key bits: 1024
🇧🇷 Signaturalgorithmus: sha1WithRSAEncryption
🇧🇷 Not valid before: 2020-06-16T22:55:16
🇧🇷 Not valid after: 2030-01-01T00:00:00
| MD5: c522 61ff 31c4 c9aa 971d 7cfd 4eb7 14de
| SHA-1: 50fb 7c7d d6a8 86c0 ba67 1293 11d7 f529 058e e1de
🇧🇷 -----START CERTIFICATE-----
| MIICKzCCAZSgAwIBAgIBATANBgkqhkiG9w0BAQUFADAxMS8wLQYDVQQDEyZJT1Mt
| U2VsZi1TaWduZWQtQ2VydGlmaWNhdGUtMTMwMjQ0Nzc0NDAeFw0yMDA2MTYyMjU1
| MTZaFw0zMDAxMDEwMDAwMDBaMDExLzAtBgNVBAMTJklPUy1TZWxmLVNpZ25lZC1D
| ZXJ0aWZpY2F0ZS0xMzAyNDQ3NzQ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
| gQDCgxwOBYowFY7GgS3Q81u6CRTzcaEb2SwZvzSsjTLmHPqrB7OYgGukAgs19+Xa
| 8jRS3jY4Q492RtpyBAb4BU9naHXRKvD2zB5e9QDreeFOf73If6f8V/BtjqSozYZW
| N0RPpgqIWVbgQbkr1eBbnXgE1/TO7czYcjae/OTSZwQL1QIDAQABo1MwUTAPBgNV
| HRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFDL08Ihv1OFKYBqkbHJ5wpXt3G7IMB0G
| A1UdDgQWBBQy9PCIb9ThSmAapGxyecKV7dxuyDANBgkqhkiG9w0BAQUFAAOBgQCH
| GxSZ29CUBrvCkDU4knDw9WmdLKqgMl88+dpZmOO758+o4B8lMT0f+Ixny7drFIJ7
| rrkhrqpCHnLDJtXYcINiaKASs3tPIpQ21nQ1r5WTdW8GqaTVcOBIFG0KWlJGVmsF
| RepCnGblGV/3mrUWImNU8xwY+uZS2vAFKAVXYVLk5w==
|_-----END OF CERTIFICATE-----
| ssl-enum-cifras:
| TLSv1.1:
| Counting:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
🇧🇷 The compressor:
🇧🇷 NULL
🇧🇷 Encryption preference: Customer
| Hints:
🇧🇷 Weak certificate signing: SHA1
| TLSv1.2:
| Counting:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
🇧🇷 The compressor:
🇧🇷 NULL
🇧🇷 Encryption preference: Customer
| Hints:
🇧🇷 Weak certificate signing: SHA1
|_ smallest force: A
465/tcp smtps reset closed ttl 254
993/tcp closed imaps reset ttl 254
995/tcp pop3s closed reset ttl 254
3389/tcp beendet ms-wbt-server reset ttl 254

NSE: Script-Post-Scan.
NSE: Start checking runlevel 1 (from 1).
Start NSE at 15:28
NSE completed at 15:28, 0.00 seconds elapsed
Read data files from: /usr/local/bin/../share/nmap
Nmap completed: scanned 1 IP address (1 host enabled) in 2.71 seconds
Raw packets sent: 9 (372B) | Received: 6 (232B)

To secure TLS I upgraded to 15.2.7E2. This release allows disabling TLS 1.0 and 1.1. To pass a penetration test, you must disable both. When the update is complete, run the following:

test(config)#ip http sichere chiffresuite ?

aes-128-cbc-sha Type of Cryptography tls_rsa_with_aes_cbc_128_sha Ciphersuite
aes-256-cbc-sha Type of Cryptography tls_rsa_with_aes_cbc_256_sha Ciphersuite
and-aes-128-cbc-sha Typ der Kryptografie tls_dhe_rsa_with_aes_128_cbc_sha Ciphersuite
edche-rsa-aes-256-cbc-sha Typ der Kryptografie tls_ecdhe_rsa_aes_256_cbc_sha ciphersuite

test(config)#ip http secure-ciphersuite edche-rsa-aes-256-cbc-sha aes-256-cbc-sha

test(config)#ip http tls-version ?

TLSv1.0 Set only the TLSv1.0 version
TLSv1.1 Set only the TLSv1.1 version
TLSv1.2 Set only the TLSv1.2 version

test(config)#ip http tls-version tlsv1.2

To check, I ran the nmap ssl-cert and ciphers scripts again. Only TLS 1.2 is enabled this time.

sudo nmap --script ssl-cert,ssl-enum-ciphers -p 443 192.168.10.31

Nmap scan report for 192.168.10.31
Host is up, received TTL 254 echo reply (latency 0.0072s).
Scanned on 06/18/2020 3:50:03 PDT for 3s

REASON FOR PORT STATE SERVICE
443/tcp aberto https syn-ack ttl 254
| ssl-cert: Betreff: commonName=IOS-Self-Signed-Certificate-1302447744
| Emissor: commonName=IOS-Self-Signed-Certificate-1302447744
🇧🇷 Public key type: rsa
🇧🇷 Public key bits: 1024
🇧🇷 Signaturalgorithmus: sha1WithRSAEncryption
🇧🇷 Not valid before: 2020-06-16T22:55:16
🇧🇷 Not valid after: 2030-01-01T00:00:00
| MD5: c522 61ff 31c4 c9aa 971d 7cfd 4eb7 14de
| SHA-1: 50fb 7c7d d6a8 86c0 ba67 1293 11d7 f529 058e e1de
🇧🇷 -----START CERTIFICATE-----
| MIICKzCCAZSgAwIBAgIBATANBgkqhkiG9w0BAQUFADAxMS8wLQYDVQQDEyZJT1Mt
| U2VsZi1TaWduZWQtQ2VydGlmaWNhdGUtMTMwMjQ0Nzc0NDAeFw0yMDA2MTYyMjU1
| MTZaFw0zMDAxMDEwMDAwMDBaMDExLzAtBgNVBAMTJklPUy1TZWxmLVNpZ25lZC1D
| ZXJ0aWZpY2F0ZS0xMzAyNDQ3NzQ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
| gQDCgxwOBYowFY7GgS3Q81u6CRTzcaEb2SwZvzSsjTLmHPqrB7OYgGukAgs19+Xa
| 8jRS3jY4Q492RtpyBAb4BU9naHXRKvD2zB5e9QDreeFOf73If6f8V/BtjqSozYZW
| N0RPpgqIWVbgQbkr1eBbnXgE1/TO7czYcjae/OTSZwQL1QIDAQABo1MwUTAPBgNV
| HRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFDL08Ihv1OFKYBqkbHJ5wpXt3G7IMB0G
| A1UdDgQWBBQy9PCIb9ThSmAapGxyecKV7dxuyDANBgkqhkiG9w0BAQUFAAOBgQCH
| GxSZ29CUBrvCkDU4knDw9WmdLKqgMl88+dpZmOO758+o4B8lMT0f+Ixny7drFIJ7
| rrkhrqpCHnLDJtXYcINiaKASs3tPIpQ21nQ1r5WTdW8GqaTVcOBIFG0KWlJGVmsF
| RepCnGblGV/3mrUWImNU8xwY+uZS2vAFKAVXYVLk5w==
|_-----END OF CERTIFICATE-----
| ssl-enum-cifras:
| TLSv1.2:
| Counting:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024) - A
🇧🇷 The compressor:
🇧🇷 NULL
🇧🇷 Encryption preference: Customer
| Hints:
🇧🇷 Weak certificate signing: SHA1
|_ smallest force: A

NSE: Script-Post-Scan.
NSE: Start checking runlevel 1 (from 1).
Start NSE at 15:50
NSE completed at 15:50, 0.00 seconds elapsed
Read data files from: /usr/local/bin/../share/nmap
Nmap completed: scanned 1 IP address (1 live host) in 2.99 seconds
Raw packets sent: 5 (196B) | Received: 2 (72B)

Results

You can see it still uses SHA1 as the certificate signing. You can useCiphersuite informationcompare different numbers.

Email or SSH?

Let's see what's new for SSH in 15.7.2E2.

Mac SSH IP Server Algorithm?

hmac-sha1 HMAC-SHA1 (summary length = key length = 160 bits)
hmac-sha1-96 HMAC-SHA1-96 (summary length = 96 bits, key length = 160 bits)
hmac-sha2-256 HMAC-SHA2-256 (summary length = 256 bits, key length = 256
Bits)
hmac-sha2-512 HMAC-SHA2-512 (summary length = 512 bits, key length = 512
Bits)

SSH IP server algorithm encryption?

3des-cbc Three button 3DES in CBC mode
aes128-cbc 128-bit AES without CBC mode
aes128-ctr AES with 128-bit key in CTR mode
aes192-cbc AES mit 192 Bit ohne Modo CBC
aes192-ctr AES with 192-bit key in CTR mode
aes256-cbc AES mit 256 Bits ohne Modo CBC
aes256-ctr AES com chave de 256 bits no modo CTR

Now we can eliminate the old HMAC-SHA1 and CBC ciphers from our switch!

First we will add the sha2 HMACs

algoritmo do servidor ip ssh mac hmac-sha2-256 hmac-sha2-512

Then remove the sha1-hmacs

no ssh mac ip server algorithm hmac-sha1no ssh mac ip server algorithm hmac-sha1-96

And now the encryption

ip ssh server verschlüsselungsalgorithmus aes256-ctr aes192-ctr aes128-ctr

The results

mostrar ip ssh

SSH enabled - version 2.0
Authentication methods: public key, interactive keyboard, password
Authentication public key algorithms: x509v3-ssh-rsa,ssh-rsa
Hostschlüsselalgorithmen: x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes256-ctr, aes192-ctr, aes128-ctr
MAC algorithms:hmac-sha2-256,hmac-sha2-512
Algoritmos KEX:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Authentication timeout: 120 seconds; Authentication attempts: 3
Expected minimum Diffie-Hellman key size: 2048 bits
IOS key in SECSH format (ssh-rsa, base64-encoded): SSH-KEYS
Module size: 4096 bits
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCsyuZ8/lMCNHSLREb6vGQoBVehYQQI0+eJlanuyq5
f+iTqFcceR7vvXP14JhHmXe2lkygOZ8VIeilMJkpS8q748TaBL9QfmUAdDkbbk1wYPNKM2sLn/ACuerf
ImNa4vQFNaP28zqaCMhre/Z0DCRJvDnOXs2fepQnQZ6ZvbOgwMRw6rvTiLcPYlB46VlaS6T1ogEbsPLz
HG1e2UeGONxyIU9j99+sUq3h5omoxtOd33c7ygyBgghBm+G4rHoD4EsJmejK2/Ai1PsjHIN16EaTAB0Y
MiIFByAYr4/Hr+6ANejxDrFpeY3DDBTvXices3S+C/Ch6JEoFVfHufc5ni8OReE7KQhrBctNfhoXvFRO
wITNNyyu/jk1LLDTaLFbL/auw/eXGXlXXerWRFY6HvmAbQannl9wryvy97Hm4LJVO+DtTspwvw4IKrQT
HDMdyXvTI6RMjIlGb/7hiUeFb33wx7sw/DwkgjyUCWh8R8nCEoLfpz7qOchW2/WSj+608m62Eh6WDy5q
qkDpstQRD7AbE2OBtiuYgYJaNJfZ1qhIQXlvtQCTgRRS2TvInnoGg+STD2+lWR5WufgKEO778tNDXt3H
YRSdD2N1YcjXG+y0hB/xjvWSoMkr+G2Btxtm8QPgvXQRe9aFU/kALMBKBJ6Q+rDXr2QbyA7zpDudkAn3

Security header improvements

For IOS XE devices from 16.4.1, the Nginx/HTTP headers have the following settings to increase security:

Do the same with your Linux servers

There is a good chance that your company runs some Linux servers. Out of the box, CentOS/Ubuntu will have several weak ciphers. It's pretty easy to fix, but you need root privileges.

First we check which encryptions your server offers. If the server has a public IP address, you can go to https://sshcheck.com and enter the FQDN or IP address. You will receive a comprehensive report with suggestions as to which items should be disabled.

If the server is internal, you can use nmap's ssh-enum script:

sudo nmap --script ssh2-enum-algos 192.168.10.239

This will return a list of ciphers offered by your server.

Update the sshd configuration file

The sshd configuration file is in /etc/ssh. We need to open it and add the suites we want. First we make a backup.

sudo cd /etc/sshsudo cp sshd_config sshd_config.baksudo nano sshd_config

Add the following (make sure it conforms to your company's security policy)
cifras chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

macs umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128@openssh.com,hmac-sha2-256

Algoritmos Kex diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,curve25519-sha256,curve25519-sh$

You can add them anywhere. I place them just below the section
"# Ciphers and Encoding".

Press Ctrl+x, type Y to save the file, and type to exit.

You can use

sudo sshd -t

to review the changes. If the configuration file contains no errors, nothing is displayed. In the case of errors, you will receive a message with the line number in which the error occurred.

You can use

sshd-T

to back up the current ssh configuration.

Now all we have to do is restart the ssh daemon;

sudo systemctl reiniciar sshd

check your work

Refresh the sshcheck page or run nmap again. You should only see the entered cipher suites. Here is nmap against my server:

nmap --script ssh2-enum-algos -sV -p22 hubbardonnetworking.com

Launching Nmap 7.70 (https://nmap.org) at 2020-06-24 22:15 PDT
Nmap scan report for hubbardonnetworking.com (107.170.203.230)
Host is up (0.026s latency).

PORT STATE SERVICE-VERSION
22 /tcp ssh open OpenSSH 7.4 (protocol 2.0)
| ssh2-enum-algos:
| kex_algorithms: (6)
| diffie-hellman-group14-sha256
| diffie-hellman-group16-sha512
| diffie-hellman-group18-sha512
| diffie-hellman-group-exchange-sha256
| curva25519-sha256
| curve25519-sha256@libssh.org
| server_host_key_algorithms: (5)
| ssh-rsa
| rsa-sha2-512
| rsa-sha2-256
| ecdsa-sha2-nistp256
| ssh-ed25519
🇧🇷 Encryption Algorithms: (6)
| chacha20-poly1305@openssh.com
| aes256-gcm@openssh.com
| aes128-gcm@openssh.com
| aes256-ctr
| aes192-ctr
| aes128-ctr
| mac_algorithms: (5)
| umac-128-etm@openssh.com
| hmac-sha2-256-etm@openssh.com
| hmac-sha2-512-etm@openssh.com
| umac-128@openssh.com
| hmac-sha2-256
🇧🇷 Compression Algorithms: (2)
🇧🇷 None
|_ zlib@openssh.com

Service detection performed. Please report incorrect results at https://nmap.org/submit/ .
Nmap completed: checked 1 IP address (1 live host) in 0.70 seconds

I have a python script that displays a menu of various nmap security scripts. If you haven't used nmap much, it's worth a look.

The Python tool prepares nmap scripts

references

Putty-SSH V2
SSH algorithms for Common Criteria certification
Cisco IOS HTTP Services Command Reference