Tag: ciphers

SSH – prevent weak ciphers and mac algorithms

Supported in rhel 6:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour
MACs hmac-sha1,hmac-ripemd160

Supported in rhel 7:

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com

These examples are meant for sysadmins who have done this before, as an easily copy-pastable example, not for newbies who have no idea what all this means. Research what you are doing and think before you act. Be careful when reloading or restarting your sshd daemon, make sure you can access the console in case something goes terribly wrong! Verpruts het niet zegmaar.

source: https://cipherli.st/ and https://access.redhat.com/solutions/420283 and http://www.cyberciti.biz/faq/howto-openssh-client-security-update-cve-0216-0777-cve-0216-0778/

IETF RFC 7568 Deprecates SSLv3 As Insecure

Security is hot-topic, so make sure your webserver/mail/sshd is configured with the strongest security levels available..

Apache:

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
Header always set Strict-Transport-Security “max-age=63072000; includeSubdomains; preload”
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLSessionTickets Off
SSLUseStapling on
SSLStaplingCache “shmcb:logs/stapling-cache(150000)”

Continue reading IETF RFC 7568 Deprecates SSLv3 As Insecure