Centos7加密漏洞修复
1、SSL Medium Strength Cipher Suites Supported (SWEET32) && TLS Version 1.0 Protocol Detection
以traefik.toml为例
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384"
]2、HSTS Missing From HTTPS Server (RFC 6797)
以traefik.toml为例需要去除http访问,redirect也不可以,只能使用https
[entryPoints]
#[entryPoints.http]
#address = ":80"
# [entryPoints.http.redirect]
# entryPoint = "https"
#permanent = true
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384"
]3、SSH Weak Key Exchange Algorithms Enabled && SSH Server CBC Mode Ciphers Enabled
3.1、打开ssh配置文件:
vim /etc/ssh/sshd_config最后添加以下三行加密方式
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour
Macs hmac-sha1,hmac-ripemd160
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha13.2、重启sshd
systemctl restart sshd3.3、如果报错Directive 'Ciphers' is not allowed within a Match blo
如果配置了如下两行,那就把需要添加的放到这个上面即可
Subsystem sftp internal-sftp
Match Group sftp3.4、ssh验证(可跳过)
[root@localhost ~]# ssh -vv -oCiphers=aes128-cbc,3des-cbc,blowfish-cbc 目标IP
[root@localhost ~]# ssh -vv -oMACs=hmac-md5 目标IP3.5、nmap验证(可跳过)
nmap --script ssh2-enum-algos -sV -p 22 目标IP
……
Unable to negotiate with 127.0.0.1 port 22: no matching cipher found. Their offer: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour
……
浙公网安备 33010602011771号