Differences

This shows you the differences between two versions of the page.


hardening-enterprise-filefabric [2025_11_24 22:23] (current) – created - external edit 127.0.0.1
Line 1: Line 1:
 +====== Hardening Access Anywhere ======
 +
 +
 +===== TLS Settings and Ciphers =====
 +(date updated 22 January 2019)
 +
 +Please note that TLS cipher recommendations change as new threats are discovered. We recommend to use [[https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.34&openssl=1.0.1e&hsts=no&profile=modern|Mozilla SSL Configuration Generator]] to generate the list of ciphers.
 +
 +When using Mozilla SSL Configuration Generator please select Apache  server and Modern profile
 +
 +
 +As the root user edit the following file with the vi or nano editors:
 +
 +<code>
 +vi /etc/httpd/conf.d/ssl.conf
 +</code>
 +
 +Find and replace the following line:
 +Note: It may line wrap and appear to be several lines
 +<code>
 +SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS:!RSA
 +</code>
 +
 +With(note always get the latest cipher list from Mozilla SSL Configuration Generator):
 +<code>
 +SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
 +</code>
 +
 +Additionally Replace the line
 +
 +<code>
 +SSLProtocol all -SSLv3 -TLSv1
 +</code>
 +
 +with 
 +<code>
 +SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
 +</code>
 +
 +After saving the file restart apache
 +
 +<code>
 +systemctl restart httpd
 +</code>
 +
 +
 +===== Disable CloudFTP =====
 +NAA provides legacy protocol adaptors i.e you can access any storage using FTP, FTPS and SFTP.
 +FTP provider is unencrypted protocol. Disable FTP, FTPS and SFTP service depending on your security policy. 
 +For compatibility SFTP and FTPS support a wide range of encryption protocols and ciphers. For a locked down NAA deployment we recommend disabling CloudFTP service
 +
 +As root
 +<code>
 +systemctl stop cloudftp 
 +systemctl disable cloudftp
 +</code>
 +
 +=====  Remove Apache HTTPD server Configuration NAA version <= 1901 ===== 
 +The icons directory is listed , this is not a security risk but some scanning tools can mark it as security risk. 
 +
 +As root remove the following file
 +
 +<code>
 +rm /etc/httpd/conf.d/autoindex.conf
 +systemctl restart httpd
 +</code>
  
© Copyright 2026 Nasuni.