Announcement

**Spork Schivago** · 03-02-2016, 12:17 PM

Re: Hardening my server.

Just wanted to add that I have done some reading up on SSL and TLS. My understanding is SSL v1 was never publically released because of some serious flaws. Netscape released SSL v2 but it also had flaws. Then they release SSL v3 which also had flaws and was susceptible to the POODLE attack. Can I disable SSL all together and just use something like TLS v1.2?

**shovenose** · 03-02-2016, 12:27 PM

Re: Hardening my server.

https://www.ssllabs.com/ssltest/

what's your domain?

edit: should look something like this, if not, link the report and I can help you fix it.

Attached Files

**Spork Schivago** · 03-02-2016, 02:00 PM

Re: Hardening my server.

Originally posted by shovenose View Post

https://www.ssllabs.com/ssltest/

what's your domain?

edit: should look something like this, if not, link the report and I can help you fix it.

Thank you. I ran the test (had to whitelist the IP because it got blocked). Here's a link to the report:

https://www.ssllabs.com/ssltest/anal...hideResults=on

There are some issues with it. I see:

Code:

The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-

So I'd like to fix that. Certificate is perfect, from what I can see. Protocol Support needs some work, Key Exchange needs more work than Protocol Support and Cipher Strength got the same score as Key Exchange.

I also see:

Code:

In trust store	DST Root CA X3  Self-signed	
Fingerprint SHA1: dac9024f54d8f6df94935fb1732638ca6ad77c13
Pin SHA256: Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys= 
RSA 2048 bits (e 65537)	/ SHA1withRSA 
[B]Weak or insecure signature[/B], but no impact on root certificate

I'd like to find out how to fix that weak or insecure signature as well, even though it has no impact on root certificate.

**Spork Schivago** · 03-02-2016, 02:10 PM

Re: Hardening my server.

I see I'm not protected against the BEAST attack, even if it might not exist anymore. Would dropping TLS v1.0 and supporting just TLS v1.1 and v1.2 be an effective option to protect against the BEAST?

**Per Hansson** · 03-02-2016, 02:25 PM

Re: Hardening my server.

Originally posted by Spork Schivago View Post

Hello,

Code:

This SSLv2 server does not accept SSLv3 connections.
This SSLv2 server also accepts TLSv1 connections.

Should I have SSLv2 disabled and only accept SSLv3 connections? And is TLSv1 good? Thank you!

SSL v2 was broken a few months after being released 1996, now 20 years later you can take a guess how good it is to use it!
SSL v3 was broken more recently, but it's still been deprecated for a year and not recommended in new installs for much much longer than that.

TLS is the continuation of SSL, there are some highly theoretical attack scenarios for 1.0, but usually you would be fine to have it enabled.
If you don't you will loose WinXP and older browsers like Opera based on the Presto engine.

This Mozilla page has a pretty good rundown on how to configure things:
https://wiki.mozilla.org/Security/Server_Side_TLS

**Spork Schivago** · 03-02-2016, 02:41 PM

Re: Hardening my server.

Originally posted by Per Hansson View Post

SSL v2 was broken a few months after being released 1996, now 20 years later you can take a guess how good it is to use it!
SSL v3 was broken more recently, but it's still been deprecated for a year and not recommended in new installs for much much longer than that.

TLS is the continuation of SSL, there are some highly theoretical attack scenarios for 1.0, but usually you would be fine to have it enabled.
If you don't you will loose WinXP and older browsers like Opera based on the Presto engine.

This Mozilla page has a pretty good rundown on how to configure things:
https://wiki.mozilla.org/Security/Server_Side_TLS

Thank you. So TLS and SSL are the protocols? And currently, I have SSL v3 enabled, right? So I'd like to disable that. I'm on the fence whether I should support XP or not. When you say I'll loose support for XP, do you mean I'd lose support for IE running in XP? Would Chrome / Firefox on XP still work? I appreciate you teaching me this stuff.

**Per Hansson** · 03-02-2016, 03:00 PM

Re: Hardening my server.

No, you have SSL v2 enabled according to that tool which is a disaster.
See for example this weeks latest exploit: DROWN

https://isc.sans.edu/forums/diary/Ex...y+DROWN/20789/
https://drownattack.com/
https://access.redhat.com/security/v...bilities/drown

As for XP support if you run the "modern" cipher XP wont be able to connect because it only supports TLS 1.0
With the intermediate cipher that enables TLS 1.0 it will work with IE8.
You really don't want to enable the backwards compatible one, let IE6 die already!

Some browsers have their own TLS implementation, Fiefox is one, Chrome might too but look it up first.
So with Firefox on XP you can have the modern cipher enabled and the customer will still see your site...

**ddscentral** · 03-02-2016, 03:42 PM

Re: Hardening my server.

I'm using these on my server (Apache 2.4.7 with Haproxy as frontend):

EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4

I also have disabled SSLv3, enabled OCSP stapling and HTTP Strict Transport Security.
A+ in SSLLabs test.

Attached Files

**Spork Schivago** · 03-02-2016, 05:42 PM

Re: Hardening my server.

Originally posted by Per Hansson View Post

No, you have SSL v2 enabled according to that tool which is a disaster.
See for example this weeks latest exploit: DROWN

https://isc.sans.edu/forums/diary/Ex...y+DROWN/20789/
https://drownattack.com/
https://access.redhat.com/security/v...bilities/drown

As for XP support if you run the "modern" cipher XP wont be able to connect because it only supports TLS 1.0
With the intermediate cipher that enables TLS 1.0 it will work with IE8.
You really don't want to enable the backwards compatible one, let IE6 die already!

Some browsers have their own TLS implementation, Fiefox is one, Chrome might too but look it up first.
So with Firefox on XP you can have the modern cipher enabled and the customer will still see your site...

I understand. So TLS is a cipher. What are the protocols then? I agree, IE 6 should die. If I'm not mistaken, XP _can_ run IE8. When I tried downloading it an off-line installer from Microsoft for it, it errored out saying it wasn't compatible with XP, however, after I found a way to get Windows Update working, it did install IE 8. Hopefully, there aren't too many users still using XP.

I thought SSLv2 and 3 were disabled. In WHM, I see:

Code:

TLS/SSL Cipher List
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

This is a standard format list of the TLS/SSL ciphers cPanel Web Services should use. Typically this will only need to be adjusted for PCI compliance.


TLS/SSL Protocols
 SSLv23:!SSLv2:!SSLv3

This is a standard format list of the TLS/SSL protocols cPanel Web Services should use. Typically this will only need to be adjusted for PCI compliance.

I thought the ! meant that it was disabled. Also, now my subdomain redirects are messed up and not working. I have to have Proxy Sub-Domain redirects turned off. I had the subdomain redirects setup manaully, so when went to places like whm.jetbbs.com, it'd forward it to the correct port. Now, when I go to any of the subdomains, I get

Code:

The server at cpanel.jetbbs.com can't be found, because the DNS lookup failed. DNS is the network service that translates a website's name to its Internet address. This error is most often caused by having no connection to the Internet or a misconfigured network. It can also be caused by an unresponsive DNS server or a firewall preventing Google Chrome from accessing the network.

Before, it was setup to automatically create something called a A name or something whenever I created a subdomain. I don't think the subdomains are registered with the DNS server now. I'd like to figure out how to manually set that stuff up.

**stj** · 03-02-2016, 06:53 PM

Re: Hardening my server.

wouldnt it be better to ditch all the short keys like 128bit

force browsers etc to use larger keys like 384.512 or even 1024bit keysize.

**Spork Schivago** · 03-03-2016, 05:51 PM

Re: Hardening my server.

Originally posted by stj View Post

wouldnt it be better to ditch all the short keys like 128bit

force browsers etc to use larger keys like 384.512 or even 1024bit keysize.

Is that question for me? If so, I honestly don't know enough about this to answer the question. If it's for someone else, I'd also like to know. My SSL cert uses a 2048 bit RSA key I think? Would that mean I should set the key size to 2048 bit? Or is that for something else?

**Per Hansson** · 03-04-2016, 08:22 AM

Re: Hardening my server.

No, you want to use the lowest cipher that is considered safe.
Or more appropriately the "cheapest" cipher to generate CPU wise.
For example AES256-GCM is prioritized above the 128 bit variant.
The reason is the former has a considerable market penetration with CPU's that can offload the generation.
Meaning the 256bit is actually "cheaper" to generate...

Realize that when we talk about actually brute-forcing these keys (and not exploiting a weakness in the cipher)
Then you would need enormous resources to do it.
I was for example part of the Distributed.net project which is just like Seti@Home or Folding@Home to brute force the 56bit key.
That was successfully done after 250 days, later they worked on a 64bit key which took almost five years.
Currently they are trying to brute force a 72bit key and have been at it for 13 years, at their current rate it would take around 200 years to try all possible keys...

But the example is a bit silly, because the way these things are broken are through a weakness in the implementation.
Meaning the key wont have to be brute forced at all.
That's the case with high profile exploits like DROWN & Heartbleed for example.
Another good example of an implementation that was considered safe but no longer is is the 1024bit Diffie-Hellman.
But it's only because the same keys for signing was part of each distribution.
(To save on CPU resources back in the day, because generating such a key on hardware of "moderate" capabilities in most BCN users mind would take several hours).
But the end result is that since the same 1024bit key is on so many systems it's considered that a government sponsored attacker might expend the resources to brute force it...

**junktv** · 03-04-2016, 07:35 PM

Re: Hardening my server.

Well there is your problem. You have no brute force measures in place. Are you fighting a 100,000 nerds or a few guys on a mission?

**Per Hansson** · 03-05-2016, 04:12 AM

Re: Hardening my server.

Originally posted by junktv View Post

Well there is your problem. You have no brute force measures in place. Are you fighting a 100,000 nerds or a few guys on a mission?

Are you just trolling or whats your problem tonight?
Key attacks (by professionals) are done offline, but nevermind what I wrote more:

Originally posted by Per Hansson View Post

But the example is a bit silly, because the way these things are broken are through a weakness in the implementation.
Meaning the key wont have to be brute forced at all.

**Spork Schivago** · 03-06-2016, 05:42 PM

Re: Hardening my server.

Originally posted by Per Hansson View Post

Are you just trolling or whats your problem tonight?
Key attacks (by professionals) are done offline, but nevermind what I wrote more:

Also, I do have on-line brute force protection. If someone connects so many times in a row, they get blocked. I do have to admit, some of this stuff I don't understand. Not gonna lie, the networking stuff isn't my strong suite.

I use ConfigServer Firewall, which is nice. If I understand the documentation right, it could be setup in such away when a person gets banned, they get redirected to a page saying they're banned. This requires a few iptable modules that aren't installed and there's no way for me to install them though. I've contacted my provider's tech support to see if they could enable them, but the guy I talked too was a bit rude and didn't understand what I was asking, although he thought he did.

He felt that I didn't know how to use iptables. I tried explaining that writing iptables rules wasn't the problem, that I just didn't have two iptable modules installed that I'd like to use. He went on how I can google how to use iptables and if I don't know how to run a server, I shouldn't have one. That kind of upsetted me a bit but I was polite. I feel every time I tried explaining the situation, he just blocked it out, because he felt that he understood what the problem was (that I didn't know how to use iptables). He said I could pay around 300$ a month and have them manage my server. All I needed was a few words added to a file or two in the virtuozzo's config files.

**shovenose** · 03-06-2016, 06:53 PM

Re: Hardening my server.

Originally posted by Spork Schivago View Post

Also, I do have on-line brute force protection. If someone connects so many times in a row, they get blocked. I do have to admit, some of this stuff I don't understand. Not gonna lie, the networking stuff isn't my strong suite.

I use ConfigServer Firewall, which is nice. If I understand the documentation right, it could be setup in such away when a person gets banned, they get redirected to a page saying they're banned. This requires a few iptable modules that aren't installed and there's no way for me to install them though. I've contacted my provider's tech support to see if they could enable them, but the guy I talked too was a bit rude and didn't understand what I was asking, although he thought he did.

He felt that I didn't know how to use iptables. I tried explaining that writing iptables rules wasn't the problem, that I just didn't have two iptable modules installed that I'd like to use. He went on how I can google how to use iptables and if I don't know how to run a server, I shouldn't have one. That kind of upsetted me a bit but I was polite. I feel every time I tried explaining the situation, he just blocked it out, because he felt that he understood what the problem was (that I didn't know how to use iptables). He said I could pay around 300$ a month and have them manage my server. All I needed was a few words added to a file or two in the virtuozzo's config files.

who is the provider

**JuniperSprouts** · 03-07-2016, 02:43 PM

Re: Hardening my server.

I've contacted my provider's tech support to see if they could enable them, but the guy I talked too was a bit rude and didn't understand what I was asking, although he thought he did.

He felt that I didn't know how to use iptables. I tried explaining that writing iptables rules wasn't the problem, that I just didn't have two iptable modules installed that I'd like to use. He went on how I can google how to use iptables and if I don't know how to run a server, I shouldn't have one. That kind of upsetted me a bit but I was polite. I feel every time I tried explaining the situation, he just blocked it out, because he felt that he understood what the problem was (that I didn't know how to use iptables). He said I could pay around 300$ a month and have them manage my server. All I needed was a few words added to a file or two in the virtuozzo's config files.

The provider sounds like someone from whom I would not want service!

**Spork Schivago** · 03-10-2016, 01:22 PM

Re: Hardening my server.

Originally posted by shovenose View Post

who is the provider

GoDaddy.

**Spork Schivago** · 03-10-2016, 01:24 PM

Re: Hardening my server.

Originally posted by JuniperSprouts View Post

The provider sounds like someone from whom I would not want service!

Yeah, usually, when I call, the people are extremely nice and knowledgable and if they don't understand something, they take the time to look it up or ask someone who might know. It's just this one guy. I've talked to him maybe 2 or 3 times. He seems to work when it's night for me. When it's 3AM here, if I call, I always seem to get him. Overall, they're not bad. Just one guy that doesn't seem to like his job and maybe puts in the least amount of effort to do his job.

Announcement

Hardening my server.

Hardening my server.

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment