2022年9月15日木曜日

TLS セキュリティポリシー

クオリス web チェック

$ aws elbv2 describe-ssl-policies  --names ELBSecurityPolicy-FS-2018-06  --output table
$ aws elbv2 describe-ssl-policies  --names ELBSecurityPolicy-TLS-1-2-Ext-2018-06 --output table

$ openssl ciphers -v 'HIGH:!ADH:!MD5;'
$ openssl ciphers -v 'ECDH+AESGCM !aNULL !eNULL !SSLv2 !SSLv3 !CBC'
$ openssl s_client -tls1_2 -connect portal.xxxxx.co.jp:443



sudo pip install --upgrade setuptools
sudo pip install --upgrade sslyze
python -m sslyze --regular www.yahoo.com:443
or sslyze --regular www.yahoo.com:443


【apache httpd セキュリティ設定】
※header内のversionを削除
# vi /etc/httpd/conf.d/security.conf
ServerTokens ProductOnly
ServerSignature Off
Header unset

$ curl -I -s localhost   [--verbose]    # 確認

※ Serverヘッダー削除   apache 2.4以降 完全に消す場合。
yum -y install mod_security mod_security_crs
ServerTokens Full
# vi /etc/httpd/conf.d/mod_security.conf
# SecRuleEngine On
SecServerSignature " "


# curl --head https://portal.cxdnext.co.jp/
curl: (35) error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small
# update-crypto-policies --set LEGACY


※ iconsフォルダーの削除
# cd /etc/httpd/conf.d/
# mv autoindex.conf autoindex.conf.org

URL https://localhost/icons    #確認

※ wellcomメッセージの削除
# cd /etc/httpd/conf.d/
# mv welcome.conf welcome.conf.org

【apache 推奨】
ECDHE-RSA-AES128-GCM-SHA256:
ECDHE-ECDSA-AES128-GCM-SHA256:
ECDHE-RSA-AES256-GCM-SHA384:
ECDHE-ECDSA-AES256-GCM-SHA384:
DHE-RSA-AES128-GCM-SHA256 :
DHE-DSS-AES128-GCM-SHA256:
kEDH+AESGCM:
ECDHE-RSA-AES128-SHA256:
ECDHE-ECDSA-AES128-SHA256:
ECDHE-RSA-AES128-SHA:
ECDHE-ECDSA-AES128-SHA:
ECDHE-RSA -AES256-SHA384:
ECDHE-ECDSA-AES256-SHA384:
ECDHE-RSA-AES256-SHA:
ECDHE-ECDSA-AES256-SHA:
DHE-RSA-AES128-SHA256:
DHE-RSA-AES128-SHA:
DHE-DSS-AES128 -SHA256:
DHE-RSA-AES256-SHA256:
DHE-DSS-AES256-SHA:
DHE-RSA-AES256-SHA:
AES128-GCM-SHA256:
AES256-GCM-SHA384:
AES128-SHA256:
AES256-SHA256:
AES128-SHA :
AES256-SHA:
AES:
CAMELLIA:
DES-CBC3-SHA:
!aNULL:
!eNULL:
!EXPORT:
!DES:
!RC4:
!MD5:
!PSK:
!aECDH:
!EDH-DSS-DES-CBC3-SHA:
!EDH-RSA-DES-CBC3-SHA:
!KRB5-DES-CBC3-SHA

【ngnx 推奨】
ECDHE-RSA-AES128-GCM-SHA256:
ECDHE-ECDSA-AES128-GCM-SHA256:
ECDHE-RSA-AES256-GCM-SHA384:
ECDHE-ECDSA-AES256-GCM-SHA384:
DHE-RSA-AES128-GCM- SHA256:
DHE-DSS-AES128-GCM-SHA256:
kEDH+AESGCM:
ECDHE-RSA-AES128-SHA256:
ECDHE-ECDSA-AES128-SHA256:
ECDHE-RSA-AES128-SHA:
ECDHE-ECDSA-AES128-SHA:
ECDHE- RSA-AES256-SHA384:
ECDHE-ECDSA-AES256-SHA384:
ECDHE-RSA-AES256-SHA:
ECDHE-ECDSA-AES256-SHA:
DHE-RSA-AES128-SHA256:
DHE-RSA-AES128-SHA:
DHE-DSS- AES128-SHA256:
DHE-RSA-AES256-SHA256:
DHE-DSS-AES256-SHA:
DHE-RSA-AES256-SHA:
AES128-GCM-SHA256:
AES256-GCM-SHA384:
AES128-SHA256:
AES256-SHA256:
AES128- SHA:
AES256-SHA:
AES:
CAMELLIA:
DES-CBC3-SHA:
!aNULL:
!eNULL:
!EXPORT:
!DES:
!RC4:
!MD5:
!PSK:
!aECDH:
!EDH-DSS-DES-CBC3-SHA :
!EDH-RSA-DES-CBC3-SHA:
!KRB5-DES-CBC3-SHA;

【topcat 推奨】
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_SHA,
TLS_ECDHE_RSA_WITH_AES_256_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_SHA,
TLS_DHE_RSA_WITH_AES_128_SHA256,
TLS_DHE_RSA_WITH_AES_128_SHA,
TLS_DHE_DSS_WITH_AES_128_SHA256,
TLS_DHE_RSA_WITH_AES_256_SHA256,
TLS_DHE_DSS_WITH_AES_256_SHA,
TLS_DHE_RSA_WITH_AES_256_SHA"


【NG】
# TLS 1.2 (suites in server-preferred order)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 1024 bits   FS   WEAK 256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 1024 bits   FS   WEAK 128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   DH 1024 bits   FS   WEAK 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 1024 bits   FS   WEAK 256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)   DH 1024 bits   FS   WEAK 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 1024 bits   FS   WEAK 128
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16)   DH 1024 bits   FS   WEAK 112
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)   WEAK 256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)   WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   WEAK 256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK 256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   WEAK 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK 128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   WEAK 112
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH secp256r1 (eq. 3072 bits RSA)   FS 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH secp256r1 (eq. 3072 bits RSA)   FS 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 128
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 112

# TLS 1.1 (suites in server-preferred order)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 1024 bits   FS   WEAK 256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 1024 bits   FS   WEAK 128
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16)   DH 1024 bits   FS   WEAK 112
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK 256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK 128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   WEAK 112
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 128
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 112

# TLS 1.0 (suites in server-preferred order)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 1024 bits   FS   WEAK 256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 1024 bits   FS   WEAK 128
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16)   DH 1024 bits   FS   WEAK 112
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK 256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK 128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   WEAK 112
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 128
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 112




時刻:

0 件のコメント:

コメントを投稿

登録: コメントの投稿 (Atom)

シャットダウン時の後処理 (shutdown)

# vi /etc/systemd/system/drop.service [Unit] Description= stop httpgwd DefaultDependencies=no Before=shutdown.target RefuseManualStart=true ...

  • Zabbix history_uint.ibd 肥大化して困った。
    history_uint.ibdが肥大化して52Gになった。 -rw-r-----. 1 mysql mysql 52495908864  6月 14 09:20 history_uint.ibd -rw-r-----. 1 mysql mysql  7977566208 ...
  • ZABBIX SNMP Trap 設定
    【snmp/snmptrap】 # yum -y install net-snmp # yum -y install net-snmp-utils # yum -y install snmptt # yum install perl-Sys-Syslog # fi...
  • LVM ファイルシステムのマウント
    # mount /dev/nvme0n1p3 /mnt/m2 mount: /mnt/m2: 未知のファイルシステムタイプ 'LVM2_member' です. #  fdisk -l /dev/nvme0n1 ディスク /dev/nvme0n1: 953....