How to Set SSL Ciphers and update OpenSSL for PCI Compliant (Apache)

SSL Cipher Settings (PCI Compliant)

If you going to use SSL for your site, make sure that you disable low level ciphers.
To do this, simply edit:

#/etc/httpd/conf.d/ssl.conf

SSLProtocol -ALL +SSLv3 +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RCA4+RSA:+HIGH:!LOW:!MEDIUM

#Save the file and restart the apache
service httpd restart

#check to see if the settings are working
openssl s_client -connect localhost:443 -cipher EXP:HIGH

#the below command should throw you an error
openssl s_client -connect localhost:443 -cipher EXP:LOW
openssl s_client -connect localhost:443 -cipher EXP:MEDIUM

By default CentOs comes with openssl version 1.0.0. However openssl has been updated a year ago to 1.0.1 to support high ciphers such as TLS 1.1 and 1.2. Normally, before updating the openssl, I would backup the server first if anything goes wrong. The reason is that openssl is used by many programs within the linux.

To update the openssl, you will need to manually install the package by rpm

#installing openssl 1.0.1e
rpm -Uvh http://dl.iuscommunity.org/pub/ius/stable/Redhat/6/x86_64/ius-release-1.0-10.ius.el6.noarch.rpm

#install yom-plugin-replace
yum install yum-plugin-replace

#replacing openssl 1.0.1e name
yum replace openssl --replace-with openssl10

I have also replaced the above SSLCipherSuite to

SSLCipherSuite 'AESGCM:RC4:SHA384:SHA256:AES !aNULL:!eNULL:!LOW:!MEDIUM:!3DES:!MD5:!EXP:!kEDH:!PSK:!SRP:!kECDH'

You should also disable SSL Compression as it is vulnerable to CRIME attack according to ssllabs.com

# /etc/httpd/conf/httpd.conf
# Disable Module within Apache by using a #
#LoadModule deflate_module modules/mod_deflate.so

and then:

echo >>/etc/sysconfig/httpd export OPENSSL_NO_DEFAULT_ZLIB=1
# Restart Apache Server
service httpd restart

After you had finished the configuration, have your site be tested with http://www.ssllabs.com

How to Remove Apache Header

Removing Apache Header

Some third party scanners gives a warning about having the Apache server name to be public. One of the main reasons to hide this is to give hackers a hard time to guess what web servers you are using. Giving out your Apache version and your OS can let hackers quickly search your server for known vulnerabilities.

edit:

/etc/httpd/conf/httpd.conf

#Change the following
ServerSignature On

#to

ServerSignature Off

How to Setting Up VPS/Dedicated Server for the First Time on CentOS 6.x LEMP Version

I just signed up for this great deal at ChicagoVPS.net for a 2GB RAM, 2TB/Month, 50GB space at $40 + Tax (NY) / Year. (Check the deal at SlickDeals.net, as of March 09)

I thought that the deal was great and wanted to give them a try.

ChicagoVPS was cheap, but it did not stand for what it was worth. I had many down time doing the month. I finally got a new dedicated server for my websites.

I am writing for blog for my own reference, I think the information I gathered over the internet will be helpful to you as well when you are setting up your VPS servers. Therefore I set up this blog on my unused web domain name. If there is any mistake or comments, please feel free to post your comment.

Requirements:

Updating

First time when you run the server, you should always update the system.

yum update

Firewall

Firewall is always and will be number one thing to do before starting anything, I had found a good script online that will set your firewall. (Need to find where I got it from to give credit)

Save the below iptables to iptables.sh. Please note that I had opened port 8080 for varnish tests. You may disable it by removing the line.

#!/bin/bash
# A sample firewall shell script 
IPT="/sbin/iptables"
SPAMLIST="blockedip"
SPAMDROPMSG="BLOCKED IP DROP"
SYSCTL="/sbin/sysctl"
BLOCKEDIPS="/root/scripts/blocked.ips.txt"

# Stop certain attacks
echo "Setting sysctl IPv4 settings..."
$SYSCTL net.ipv4.ip_forward=0
$SYSCTL net.ipv4.conf.all.send_redirects=0
$SYSCTL net.ipv4.conf.default.send_redirects=0
$SYSCTL net.ipv4.conf.all.accept_source_route=0
$SYSCTL net.ipv4.conf.all.accept_redirects=0
$SYSCTL net.ipv4.conf.all.secure_redirects=0
$SYSCTL net.ipv4.conf.all.log_martians=1
$SYSCTL net.ipv4.conf.default.accept_source_route=0
$SYSCTL net.ipv4.conf.default.accept_redirects=0
$SYSCTL net.ipv4.conf.default.secure_redirects=0
$SYSCTL net.ipv4.icmp_echo_ignore_broadcasts=1
#$SYSCTL net.ipv4.icmp_ignore_bogus_error_messages=1
$SYSCTL net.ipv4.tcp_syncookies=1
$SYSCTL net.ipv4.conf.all.rp_filter=1
$SYSCTL net.ipv4.conf.default.rp_filter=1
$SYSCTL kernel.exec-shield=1
$SYSCTL kernel.randomize_va_space=1

echo "Starting IPv4 Firewall..."
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X

# interface connected to the Internet 
PUB_IF="eth0"

#Unlimited traffic for loopback
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# DROP all incomming traffic
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

# Block sync
$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW  -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Sync"
$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP

# Block Fragments
$IPT -A INPUT -i ${PUB_IF} -f  -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets"
$IPT -A INPUT -i ${PUB_IF} -f -j DROP

# Block bad stuff
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP

$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets"
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP # NULL packets

$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets"
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS

$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan"
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans

$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

# Allow full outgoing connection but no incomming stuff
$IPT -A INPUT -i ${PUB_IF} -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -o ${PUB_IF} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Allow ssh
$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 22 -j ACCEPT

# Allow http / https (open port 80 / 443)
$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 80 -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 443 -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 8080 -j ACCEPT

# allow incomming ICMP ping pong stuff
$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPT -A OUTPUT -o ${PUB_IF} -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow port 53 tcp/udp (DNS Server)
#$IPT -A INPUT -i ${PUB_IF} -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
##$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT

#$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 53 -m state --state NEW,ESTABLISHED,RELATED  -j ACCEPT
##$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Open port 110 (pop3) / 143
#$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 110 -j ACCEPT
#$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 143 -j ACCEPT

##### Add your rules below ######
#
# 
##### END your rules ############

# Do not log smb/windows sharing packets - too much logging
$IPT -A INPUT -p tcp -i ${PUB_IF} --dport 137:139 -j REJECT
$IPT -A INPUT -p udp -i ${PUB_IF} --dport 137:139 -j REJECT

# log everything else and drop
$IPT -A INPUT -j LOG
$IPT -A FORWARD -j LOG
$IPT -A INPUT -j DROP

exit 0

Saving the iptables for next reboots

iptables-save

Backing up

What every you are on VPS or dedicated with managed or unmanaged hosting, you should always backup and backup and backup your backups. Hey, things happen and I learned that from buying cheap hosting at ChicagoVPS (move away from them).

Click here to check the “How to Backup to Raspberry Pi

Nginx, PHP, and mySQL – LEMP Web Server

 

Security

Skipfish

yum install skipfish -y (More info about skipfish will be posted)