SSL Labs – Securing Apache

SSL Labs – Securing Apache

Today we will show you several things you can do to help secure apache web servers, we proudly provide TheCodeAsylum SSL Labs report as an example.

Fixing Domain Trust Relationships!
Server Supports Weak Diffie-Hellman Key Exchange
Fix Blue Screen of Death BSOD

Today we will show you several things you can do to help secure apache web servers, we proudly provide TheCodeAsylum SSL Labs report as an example.

Open the SSL Labs Report on TheCodeAsylum – 11/12/2018

Securing Apache
You should be disabling weak ciphers and TLS1.0, and enforcing HSTS, at the minimum, here we show you how to do that on Apache:

Service Configuration/Apache Configuration/Global Configuration, edit SSL Cipher Suite: ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!AES256-GCM-SHA384:!AES128-GCM-SHA256:!AES256-SHA256:!AES256-SHA:!AES128-SHA256:!AES128-SHA

Service Configuration/Apache Configuration/Global Configuration, edit SSL/TLS Protocols:
All -SSLv2 -SSLv3 -TLSv1
(check before disabling TLSv1.0, it might not right choice for large public websites)

Service Configuration/Apache Configuration/Include Editor, edit Pre Main Include (All Versions) and paste these two lines:
Header always set Strict-Transport-Security “max-age=31536000; includeSubdomains;”
SSLHonorCipherOrder on

Multi-Factor
Additional security for your web applications:

At TheCodeAsylum we also implement Two-Factor Authentication for our site, we currently use Google Authenticator, this requires a username/password and also an authentication code from the google authenticator app. This satisfies the “Something You Know” and “Something You Have” principles of security.

Resources
List of resources that will be beneficial to you:

HTTP Strict Transport Security Cheat Sheet
Ciphers
SSL Labs

 

1
Leave a Reply

avatar
1 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
1 Comment authors
Code Monkey Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
newest oldest most voted
Notify of