Hardening Enterprise File Fabric

(date updated 22 January 2019)

Please note that TLS cipher recommendations change as new threats are discovered. We recommend to use Mozilla SSL Configuration Generator to generate the list of ciphers.

When using Mozilla SSL Configuration Generator please select Apache server and Modern profile

As the root user edit the following file with the vi or nano editors:

vi /etc/httpd/conf.d/ssl.conf

Find and replace the following line: Note: It may line wrap and appear to be several lines

SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS:!RSA

With(note always get the latest cipher list from Mozilla SSL Configuration Generator):

SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

Additionally Replace the line

SSLProtocol all -SSLv3 -TLSv1

with

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1

After saving the file restart apache

systemctl restart httpd

This is only required for EFF instances that were initially deployed before 1901, that are configured with a low security cipher. Please make the following changes.

As the root user edit the following file with the vi or nano editors:

vi /etc/ssh/sshd_config

Find and replace the following line:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc

with these 3 lines

KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

After saving the file restart sshd service

systemctl restart sshd

EFF provides legacy protocol adaptors i.e you can access any storage using FTP, FTPS and SFTP. FTP provider is unencrypted protocol. Disable FTP, FTPS and SFTP service depending on your security policy. For compatibility SFTP and FTPS support a wide range of encryption protocols and ciphers. For a locked down EFF deployment we recommend disabling CloudFTP service

As root

systemctl stop cloudftp 
systemctl disable cloudftp

The icons directory is listed , this is not a security risk but some scanning tools can mark it as security risk.

As root remove the following file

rm /etc/httpd/conf.d/autoindex.conf
systemctl restart httpd
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies