mjhjmtu

Security team of my organization told us to disable weak ciphers due to they issue weak keys.

 arcfour
 arcfour128
 arcfour256

But I tried looking for these ciphers in ssh_config and sshd_config file but found them commented.

 grep arcfour *
ssh_config:# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc

Where else I should check to disable these ciphers from SSH?

If you have no explicit setting, the default value, according to man 5 ssh_config (client-side) and man 5 sshd_config (server-side), is:

 aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
 aes128-gcm@openssh.com,aes256-gcm@openssh.com,
 chacha20-poly1305@openssh.com,
 aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
 aes256-cbc,arcfour

Note the presence of the arcfour ciphers. So you may have to explicitly set a more restrictive value for Ciphers.

ssh -Q cipher from the client will tell you which schemes your client supports.

nmap --script ssh2-enum-algos -sV -p <port> <host> will tell you which schemes your server supports.

To disable RC4 and use secure ciphers on SSH server, hard-code the following in /etc/ssh/sshd_config

ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

OR if you prefer not to dictate ciphers but merely want to strip out insecure ciphers, run this on the command line instead (in sudo mode):

sshd -T | grep ciphers | sed -e "s/(3des-cbc|aes128-cbc|aes192-cbc|aes256-cbc|arcfour|arcfour128|arcfour256|blowfish-cbc|cast128-cbc|rijndael-cbc@lysator.liu.se),?//g" >> /etc/ssh/sshd_config

You can check ciphers currently used by your server with:

sudo sshd -T |grep ciphers

Make sure your ssh client can use these ciphers, run ssh -Q cipher to see the list.

You can also instruct your SSH client to negotiate only secure ciphers with remote servers. In /etc/ssh/ssh_config set:

Host *
 ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

Above snippets come from here

To test your server's settings you can use ssh-audit

The problem with explicitly specifying a cipher list is that you must manually add new ciphers as they come out. Instead, simply list the ciphers you want to remove, prepending the list (not each individual cipher) with a '-' character. So in this case, the Ciphers line should read:

Ciphers -arcfour*

Or if you prefer:

Ciphers -arcfour,arcfour128,arcfour256

From the sshd_config man page on the Ciphers option (since OpenSSH 7.5, released 2017-03-20):

If the specified value begins with a ‘+’ character, then the specified ciphers will be appended to the default set instead of replacing them. If the specified value begins with a ‘-’ character, then the specified ciphers (including wildcards) will be removed from the default set instead of replacing them.

This also applies to the KexAlgorithms and MACs options.

enable/disable cipher need to add/remove in file /etc/ssh/sshd_config

ssh -Q cipher from the client will tell you which schemes support
ssh localhost -c arcfour check arcfour cipher enable or not on the server
ssh localhost -c arcfour128 check arcfour128 cipher enable or not on the server