<div dir="ltr"><div class="gmail_extra"><br></div><div class="gmail_extra">Aaron</div><div class="gmail_extra"><br></div><div class="gmail_extra">>><span style="font-size:12.8px">1. PHP version</span></div><div class="gmail_extra">Just edit the php.ini to change one line from</div><div class="gmail_extra">expose_php = On<br></div><div class="gmail_extra">to</div><div class="gmail_extra">expose_php = Off </div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra">>><span style="font-size:12.8px">disable TLS 1.0</span></div><div class="gmail_extra"><span style="font-size:12.8px">For port 443 (regular https pages) edit </span></div><div class="gmail_extra"><span style="font-size:12.8px">nano -w  /etc/httpd/conf.d/ssl_perl.conf</span><br></div><div class="gmail_extra"><span style="font-size:12.8px">Change</span></div><div class="gmail_extra"><span style="font-size:12.8px">           SSLProtocol                 => "+ALL  -SSLv2 -SSLv3",</span><br></div><div class="gmail_extra"><span style="font-size:12.8px">to</span></div><div class="gmail_extra"><span style="font-size:12.8px">           SSLProtocol                 => "+ALL -TLSv1 -SSLv2 -SSLv3",</span><br></div><div class="gmail_extra"><span style="font-size:12.8px"><br></span></div><div class="gmail_extra"><span style="font-size:12.8px"><br></span></div><div class="gmail_extra"><span style="font-size:12.8px">>></span><span style="font-size:12.8px">SSH ciphers</span></div><div class="gmail_extra"><span style="font-size:12.8px">I have the server set to only ssh from my own IP that I connect from; with a script to open up whatever IP I view a certain page from / whatever IP I am at within 10 minutes.   This saves me the trouble of explaining to them that the SSH version etc, is patched. </span></div><div class="gmail_extra"><span style="font-size:12.8px"><br></span></div><div class="gmail_extra"><span style="font-size:12.8px">>>cleartext </span><span style="font-size:12.8px">authentication enabled on FTP, SMTP, the admin web UI</span></div><div class="gmail_extra"><br></div><div class="gmail_extra"><span style="font-size:12.8px">1. </span><span style="font-size:12.8px">In the /admin area,  </span><span style="font-size:12.8px">try only enabling SMTPs not SMTP (not sure about this)</span></div><div class="gmail_extra"><span style="font-size:12.8px">2. </span><span style="font-size:12.8px">In the /admin area, enable only FTPS not FTP. </span></div><div class="gmail_extra"><span style="font-size:12.8px">3. For the web UI, in the APF of whatever firewall, turn off port 444 but leave on port 81</span></div><div class="gmail_extra"><span style="font-size:12.8px">3.b. Then edit the  nano -w /etc/httpd/conf.d/blueonyx.conf     "RewriteRule"s at the beginning of the file to redirect to the specific https address on port 81</span></div><div class="gmail_extra"><span style="font-size:12.8px"><br></span></div><div class="gmail_extra"><span style="font-size:12.8px">Restart respective services as needed. </span></div><div class="gmail_extra"><span style="font-size:12.8px"><br></span></div><div class="gmail_extra"><span style="font-size:12.8px">Ken</span></div></div>