**This is an old revision of the document!**
Hardening Enterprise File Fabric
TLS Settings and Ciphers
(date updated 22 January 2019)
Please note that TLS cipher recommendations change as new threats are discovered. We recommend to use Mozilla SSL Configuration Generator to generate the list of ciphers.
When using Mozilla SSL Configuration Generator please select Apache server and Modern profile
As the root user edit the following file with the vi or nano editors:
vi /etc/httpd/conf.d/ssl.conf
Find and replace the following line: Note: It may line wrap and appear to be several lines
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS:!RSA
With(note always get the latest cipher list from Mozilla SSL Configuration Generator):
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
Additionally Replace the line
SSLProtocol all -SSLv3 -TLSv1
with
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
After saving the file restart apache
systemctl restart httpd
SSH Settings EFF Version <= 1901
This is only required for EFF instances that were initially deployed as > 1901, that are configured with a low security cipher. Please make the following changes.
As the root user edit the following file with the vi or nano editors:
vi /etc/ssh/sshd_config
Find and replace the following line:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc
with these 3 lines
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
After saving the file restart sshd service
systemctl restart sshd
Disable CloudFTP
EFF provides legacy protocol adaptors i.e you can access any storage using FTP, FTPS and SFTP. FTP provider is unencrypted protocol. Disable FTP, FTPS and SFTP service depending on your security policy. For compatibility SFTP and FTPS support a wide range of encryption protocols and ciphers. For a locked down EFF deployment we recommend disabling CloudFTP service
As root
systemctl stop cloudftp systemctl disable cloudftp
Remove Apache HTTPD server Configuration EFF version <= 1901
The icons directory is listed , this is not a security risk but some scanning tools can mark it as security risk.
As root remove the following file
rm /etc/httpd/conf.d/autoindex.conf systemctl restart httpd