[BlueOnyx:20974] Re: Hardening BlueOnyx

Wed Apr 26 21:01:06 -05 2017

Hi Aaron,

Additionally to what Ken Marcus already said:

> 1. PHP version. I understand that upgrades to newer PHP versions are available for purchase

You could indeed buy the PHP package from the shop with ongoing
subscription. That way you always get access to the latest PHP packages
and can install them via the GUI. Or (it's possible) to even let the GUI
automatically install them.

> 2. TLS 1.0. Is there a way to disable TLS 1.0 easily through the UI? 
> Or if I edit /etc/httpd/conf/ssl.conf through the shell, will
> it be overwritten the next time an Apache setting changes?
>
> 3. Old insecure SSH ciphers and SSL. The test suite doesn’t like
> RC4 for SSL

Editing the file /etc/httpd/conf.d/ssl.conf will not exactly accomplish
anything worthwhile. The SSL configuration for every Vsite with SSL
enabled is inserted into the <VirtualHost> container of the VSite in
question.

One actual example:

SSLengine on
SSLCompression off
SSLProtocol +ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite
EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA
SSLCACertificateFile /home/.sites/28/site1/certs/ca-certs
SSLCertificateFile /home/.sites/28/site1/certs/certificate
SSLCertificateKeyFile /home/.sites/28/site1/certs/key

We follow recommended practices there from both SSLLabs.com as well as
bettercrypto.org. RC4 has already been disabled for at last 2-3 years
and we only allow protocols and ciphers that are still considered secure.

Turning off TLS v1.0 is a somewhat stupid endeavour, so naturally we're
not doing that. Otherwise it would go into the SSLProtocol line above as
additional "TLSv1_0".

If you really want TLS v1.0 off, then you're between a rock and a hard
place with BlueOnyx as it is, because the entries in the Vhost
containers are dynamically generated by a Perl handler.

So turning off TLS v1.0 isn't easy, nor do we (at this point) want to.
This might eventually change, but there are still some clients that only
support TLS v1.0 at the most and we need that compatibility.

> 3. "arcfour arcfour128 arcfour256" for SSH. Can these be disabled through
> the UI, or should they be disabled by default?

Unless you want to edit the SSHd config yourself to turn these off you
could simply block access to SSH so that their test suite is blocked
from accessing it.

> 4. Cleartext authentication. The test suite doesn’t want cleartext 
> authentication enabled on FTP, SMTP, the admin web UI, or
> really anything. Same question: can this be disabled?

Via the GUI you can turn off all services that require cleartext
authentication such as POP3, IMAP, SMTP and FTP and only leave their
secure counterparts enabled.

Even for the GUI (port 444) you can do that under "Server Management" /
"Maintenance" / "Server Desktop". Set "GUI access protocols" to "HTTPS
only" and tick the checkbox. You may also tick the checkbox "Redirect to
Server-Name" while at it.

-- 
With best regards

Michael Stauber