Today we will show you several things you can do to help secure apache web servers, we proudly provide TheCodeAsylum SSL Labs report as an example.
Today we will show you several things you can do to help secure apache web servers, we proudly provide TheCodeAsylum SSL Labs report as an example.
Open the SSL Labs Report on TheCodeAsylum – 11/12/2018
Service Configuration/Apache Configuration/Global Configuration, edit SSL Cipher Suite: ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!AES256-GCM-SHA384:!AES128-GCM-SHA256:!AES256-SHA256:!AES256-SHA:!AES128-SHA256:!AES128-SHA
Service Configuration/Apache Configuration/Global Configuration, edit SSL/TLS Protocols:
All -SSLv2 -SSLv3 -TLSv1
(check before disabling TLSv1.0, it might not right choice for large public websites)
Service Configuration/Apache Configuration/Include Editor, edit Pre Main Include (All Versions) and paste these two lines:
Header always set Strict-Transport-Security “max-age=31536000; includeSubdomains;”
SSLHonorCipherOrder on
At TheCodeAsylum we also implement Two-Factor Authentication for our site, we currently use Google Authenticator, this requires a username/password and also an authentication code from the google authenticator app. This satisfies the “Something You Know” and “Something You Have” principles of security.
COMMENTS
Can anyone else add additional steps that should be taken?