====== Hardening Access Anywhere ======


===== TLS Settings and Ciphers =====
(date updated 22 January 2019)

Please note that TLS cipher recommendations change as new threats are discovered. We recommend to use [[https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.34&openssl=1.0.1e&hsts=no&profile=modern|Mozilla SSL Configuration Generator]] to generate the list of ciphers.

When using Mozilla SSL Configuration Generator please select Apache  server and Modern profile


As the root user edit the following file with the vi or nano editors:

<code>
vi /etc/httpd/conf.d/ssl.conf
</code>

Find and replace the following line:
Note: It may line wrap and appear to be several lines
<code>
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS:!RSA
</code>

With(note always get the latest cipher list from Mozilla SSL Configuration Generator):
<code>
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
</code>

Additionally Replace the line

<code>
SSLProtocol all -SSLv3 -TLSv1
</code>

with 
<code>
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
</code>

After saving the file restart apache

<code>
systemctl restart httpd
</code>


===== Disable CloudFTP =====
NAA provides legacy protocol adaptors i.e you can access any storage using FTP, FTPS and SFTP.
FTP provider is unencrypted protocol. Disable FTP, FTPS and SFTP service depending on your security policy. 
For compatibility SFTP and FTPS support a wide range of encryption protocols and ciphers. For a locked down NAA deployment we recommend disabling CloudFTP service

As root
<code>
systemctl stop cloudftp 
systemctl disable cloudftp
</code>

=====  Remove Apache HTTPD server Configuration NAA version <= 1901 ===== 
The icons directory is listed , this is not a security risk but some scanning tools can mark it as security risk. 

As root remove the following file

<code>
rm /etc/httpd/conf.d/autoindex.conf
systemctl restart httpd
</code>