Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: sshd_config modification in Apache |
|
| Author |
|
rks4sm
Joined: 28 Nov 2013
Posts: 17
Location: New Delhi
|
 Posted: Wed 06 Aug '14 14:52 Post subject: sshd_config modification in Apache |
 |
|
Hello Friends,
We have Apache server 2.4.6 running on Win 2k8 platform.
The SSH services running on a number of hosts in scope were found to be supporting CBC and weak MAC ciphers. Due to the fact that the specific algorithms are cryptographically insecure, supporting these ciphers enables attackers to perform cryptanalysis attacks in order to compromise user data being sent through the affected channel.
We got the recommendation:
These may be preferentially selected by placing the following directive in sshd_config by placing the strong ciphers at the beginning of the directive means they will be used instead of the insecure ciphers:
Ciphers aes128-ctr,aes256ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc
We Couldn't find the sshd_config file in our Windows server where we can do the recommendation.
Any helps would be appreciated,
Thanks,
Rakesh |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7398
Location: EU, Germany, Next to Hamburg
|
| Posted: Wed 06 Aug '14 16:35 Post subject: |
|
|
There is no sshd config in apache. Apache has nothing to do with it.
Which SSH Software do you use? |
|
| Back to top |
|
Jan-E
Joined: 09 Mar 2012
Posts: 1266
Location: Amsterdam, NL, EU
|
| Posted: Wed 06 Aug '14 17:53 Post subject: |
|
|
Perhaps he is talking about his SSL setup. I have put this at the top of my httpd-ssl.conf:
| Code: | SSLProtocol -ALL +TLSv1.2 +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:!aNULL:!MD5:!ADH
|
And this in every https-Virtualhost:
| Code: | <IfModule headers_module>
# Use HTTP Strict Transport Security to force client to use secure connections only
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
</IfModule>
|
This gives you quite a level of SSL protection. |
|
| Back to top |
|
|
|
|
|
|
