I have a Ubuntu Server 12.04 that is accessible on the internet. Therefore, I would like to harden it a bit. I thought on starting to write a ~/.ssh/config file, forcing incoming clients a certain cipher, a MAC integrity, a key exchange algorithm, ...
Now my question is, which one is the best of them?
I thought on the following: Ciphers aes256-cbc HostKeyAlgrorithmy ssh-rsa KexAlgroithms diffie-hellman-group-exchange-sha256 MACs hmac-sha2-512-96
What do you think, guys? Is this a reasonable way of securing?
The NIST/NSA Suite B set of protocols are generally considered to be the ones that you should be using. Here is a link:
http://www.nsa.gov/ia/programs/suiteb_cryptography/
Asking which cipher is the best, is a bit like asking which apple is the loudest - each set of ciphers have their merits and weaknesses, but at least the ones in this list are considered safe for government use. What you should be asking, is which ciphers have been proven weak (DES, MD5), and avoid them.
More importantly though, to harden your server, you should look at the following: