howto
There are a few simple steps to protect yourself by generating your own Diffie-Hellman primes.
To protect ssh, edit the file /etc/ssh/moduli and comment lines where the 5th field is less than 2047:
---
# $OpenBSD: moduli,v 1.8 2012/08/29 05:06:54 dtucker Exp $
# Time Type Tests Tries Size Generator Modulus
#20120821044040 2 6 100 1023 5 D927...
…
#20120821044502 2 6 100 1535 5 D139...
…
20120821045639 2 6 100 2047 2 DD20...
---
To protect TLS for HTTPS, compute your own Diffie-Hellman primes like so:
---
[root@limsprd ~]# openssl dhparam -out foo 2048
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...+..+..***...
[root@limsprd ~]# cat foo
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAnRcLNdZeit18uYSAtEeumAOKIlAvkH5XLVw3V+jbltAjH09RJa8i
n+8bZlLGO7Rg01Exlf3FqMyK5uJTE3FkkCD2Xmv/UR+YS2c4XjzBfxELVC1C8V0J
fvgge4plUX04gG1AN3uwsLp6DgC4Ee06hEuKG6Nh6YX5tHawmPwsRqPM7GRjD4Rc
GYUJCWxh6lKuf63rHUwBH8i44FrQtJHL4lbbqxqQM1K3c2R/g+EcPoTd2VLxlT8y
gbN2rKsSi6/VggOSZ9f8DHNJB5lpuZgd6k7VymCAvc+mtFWVpBvSOWxaT7Wo5wLe
ID3exEDZl/DTDuijs/Tc0zPtoyC7vOPxawIBAg==
-----END DH PARAMETERS-----
Then add the BEGIN/END block above immediately after the “END CERTIFICATE” statement for your public key.
For more discussion on hardening your encryption settings, see these resources:
https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
https://stribika.github.io/2015/01/04/secure-secure-shell.html