Removing DES and 3DES ciphers in linux RedHat 6.8
Hi, I need help removing block cipher algorithms with block size of 64 bits like (DES and 3DES) birthday attack known as Sweet32, in Linux RedHat Enterprise 6.8. I need this for PCI compliance, but I’m not sure which files I need to edit in order to remove those ciphers. They are showing in scan results as warnings on ports 21, 465, 993, 995 and 8443. I use Plesk Onix as a control panel.
I have already edited /etc/nginx/conf.d/ssl.conf and /etc/httpd/conf.d/ssl.conf but they are still showing in the ports mention before.
Are those files actualy read/included by the config of the servers.
/etc/nginx/nginx.conf resp/ /etc/httpd/httpd.conf
Most server have a configfile, all self respecting server allow to setup SSL settings, most also have a way to specify SSL Protocols.
But it is server dependant. as the software needs to read the config file and setup the right calls to the ssl stack.
IN addition to the above, you could disable ciphers system wide by editing the OpenSSL.conf file.
Usually, you have to reload/restart the web server after this type of change.
Are you disabling protocols sslv2, sslv3, tls10?
These configs are read in during start of service. Sone changes can be applied by reload, some require a stop/start.
Ftp server: 21,
Mailserver: 465,
imaps: 993,
pops: 995 and
Apache? / HaProxy? . 8443?
The 465, 993 and 995 might be proxied by nginx, then you have to check the mail < >sections there.
Also disable SSL2 & 3 as mentioned before as those are broken by now.
(And be sure your SSL library is up to date.)
Dont forget to get your SSL certificates to at least use SHA-256 hashes or they will be unusable soon.
Here is an nginx spec:
ssl_session_timeout 5m;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 ; # required by SNI, upto SSL3 broken
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA25 6:ECDHE-EC DSA-AES128 -GCM-SHA25 6:ECDHE-RS A-AES256-G CM-SHA384: ECDHE-ECDS A-AES256-G CM-SHA384: DHE-RSA-AE S128-GCM-S HA256:DHE- DSS-AES128 -GCM-SHA25 6:kEDH+AES GCM:ECDHE- RSA-AES128 -SHA256:EC DHE-ECDSA- AES128-SHA 256:ECDHE- RSA-AES256 -SHA384:EC DHE-ECDSA- AES256-SHA 384:DHE-RS A-AES128-S HA256:DHE- RSA-AES128 -SHA:DHE-D SS-AES128- SHA256:DHE -RSA-AES25 6-SHA256:A ES128-GCM- SHA256:AES 256-GCM-SH A384:AES12 8:AES256:H IGH:!aNULL :!eNULL:!E XPORT40:!E XPORT56:!E XPORT:!DES :!3DES:!MD 5:!PSK:!RC 4;
ssl_prefer_server_ciphers on;
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone’s boat
Thank you for your responses, I have edited those files before, but in two separate scans these ciphers are still showing. Could there be any other files that might includes these ciphers server wide?
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
GET A PERSONALIZED SOLUTION
Thank you, it seems as pop3 and imap are among the ones listening, I just need to know where their config files are located
lsof -i:995
lsof -i:993
This will answer which application is serving it courier, postfix, dovcot, exim, etc. once you identify what is serving, locating the config might be come clearer if it is not in /etc
lsof -p pid_from_lsof
Look for open config files In the resulting list.
nginx might as well proxy those.
should give you a list of all processes id + running program with a TCP connection. (the p does the trick).
This is the result I got from those commands. I tried to challenge the results with scanning company and they denied it saying it was a legitimate warning and that the ciphers were still showing in these ports.
I think I need the command to close port 21 as I’v set up the server to use port 22 for secure ftp.
Also I need to find the files to edit ciphers on imaps and pcsync-https
[root@web ~]# lsof -i:995
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
couriertc 15408 root 3u IPv6 30350204 0t0 TCP *:pop3s (LISTEN)
[root@web ~]# lsof -i:993
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
couriertl 13674 root 0u IPv6 31208574 0t0 TCP web.vacationpeople.net:ima ps->47.203 .104.211:6 1257 (ESTABLISHED)
couriertl 13677 root 0u IPv6 31208577 0t0 TCP web.vacationpeople.net:ima ps->47.203 .104.211:6 1256 (ESTABLISHED)
couriertl 13697 root 0u IPv6 31208706 0t0 TCP web.vacationpeople.net:ima ps->47.203 .104.211:6 1275 (ESTABLISHED)
couriertl 13698 root 0u IPv6 31208707 0t0 TCP web.vacationpeople.net:ima ps->47.203 .104.211:6 1276 (ESTABLISHED)
couriertc 15279 root 3u IPv6 30350035 0t0 TCP *:imaps (LISTEN)
[root@web ~]#
[root@web ~]# lsof -i:21
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
xinetd 9528 root 5u IPv6 29879964 0t0 TCP *:ftp (LISTEN)
[root@web ~]# lsof -i:8443
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sw-cp-ser 19694 root 12u IPv4 21678480 0t0 TCP *:pcsync-https (LISTEN)
sw-cp-ser 19694 root 14u IPv6 21678482 0t0 TCP *:pcsync-https (LISTEN)
sw-cp-ser 29591 sw-cp-server 12u IPv4 21678480 0t0 TCP *:pcsync-https (LISTEN)
sw-cp-ser 29591 sw-cp-server 14u IPv6 21678482 0t0 TCP *:pcsync-https (LISTEN)
Thank you for your help with this.
Jorge
I also ran this command and I can see that DES ciphers are still in the server.
nmap —script ssl-enum-ciphers -p 21 «000.00.000.00»
results for ports 21, 993, 995 and 8443
Starting Nmap 6.47 ( http://nmap.org ) at 2016-11-30 11:33 CST
Nmap scan report for server (000.00.000.00)
Host is up (0.000030s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128 _CBC_SHA25 6 — strong
| TLS_ECDHE_RSA_WITH_AES_128 _GCM_SHA25 6 — strong
| TLS_ECDHE_RSA_WITH_AES_256 _CBC_SHA38 4 — strong
| TLS_ECDHE_RSA_WITH_AES_256 _GCM_SHA38 4 — strong
| compressors:
| NULL
|_ least strength: strong
Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds
[root@web ~]# nmap —script ssl-enum-ciphers -p 21 «000.00.000.00»
Starting Nmap 6.47 ( http://nmap.org ) at 2016-11-30 11:36 CST
Nmap scan report for server (000.00.000.00)
Host is up (0.000030s latency).
PORT STATE SERVICE
21/tcp open ftp
| ssl-enum-ciphers:
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_C BC_SHA — strong
| TLS_DHE_RSA_WITH_AES_256_C BC_SHA — strong
| TLS_DHE_RSA_WITH_CAMELLIA_ 128_CBC_SH A — strong
| TLS_DHE_RSA_WITH_CAMELLIA_ 256_CBC_SH A — strong
| TLS_ECDHE_RSA_WITH_3DES_ED E_CBC_SHA — strong
| TLS_ECDHE_RSA_WITH_AES_128 _CBC_SHA — strong
| TLS_ECDHE_RSA_WITH_AES_256 _CBC_SHA — strong
| TLS_RSA_WITH_3DES_EDE_CBC_ SHA — strong
| TLS_RSA_WITH_AES_128_CBC_S HA — strong
| TLS_RSA_WITH_AES_256_CBC_S HA — strong
| TLS_RSA_WITH_CAMELLIA_128_ CBC_SHA — strong
| TLS_RSA_WITH_CAMELLIA_256_ CBC_SHA — strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_C BC_SHA — strong
| TLS_DHE_RSA_WITH_AES_128_C BC_SHA256 — strong
| TLS_DHE_RSA_WITH_AES_128_G CM_SHA256 — strong
| TLS_DHE_RSA_WITH_AES_256_C BC_SHA — strong
| TLS_DHE_RSA_WITH_AES_256_C BC_SHA256 — strong
| TLS_DHE_RSA_WITH_AES_256_G CM_SHA384 — strong
| TLS_DHE_RSA_WITH_CAMELLIA_ 128_CBC_SH A — strong
| TLS_DHE_RSA_WITH_CAMELLIA_ 256_CBC_SH A — strong
| TLS_ECDHE_RSA_WITH_3DES_ED E_CBC_SHA — strong
| TLS_ECDHE_RSA_WITH_AES_128 _CBC_SHA — strong
| TLS_ECDHE_RSA_WITH_AES_128 _CBC_SHA25 6 — strong
| TLS_ECDHE_RSA_WITH_AES_128 _GCM_SHA25 6 — strong
| TLS_ECDHE_RSA_WITH_AES_256 _CBC_SHA — strong
| TLS_ECDHE_RSA_WITH_AES_256 _CBC_SHA38 4 — strong
| TLS_ECDHE_RSA_WITH_AES_256 _GCM_SHA38 4 — strong
| TLS_RSA_WITH_3DES_EDE_CBC_ SHA — strong
| TLS_RSA_WITH_AES_128_CBC_S HA — strong
| TLS_RSA_WITH_AES_128_CBC_S HA256 — strong
| TLS_RSA_WITH_AES_128_GCM_S HA256 — strong
| TLS_RSA_WITH_AES_256_CBC_S HA — strong
| TLS_RSA_WITH_AES_256_CBC_S HA256 — strong
| TLS_RSA_WITH_AES_256_GCM_S HA384 — strong
| TLS_RSA_WITH_CAMELLIA_128_ CBC_SHA — strong
| TLS_RSA_WITH_CAMELLIA_256_ CBC_SHA — strong
| compressors:
| NULL
|_ least strength: strong
Nmap done: 1 IP address (1 host up) scanned in 0.90 seconds
[root@web ~]# nmap —script ssl-enum-ciphers -p 993 «000.00.000.00»
Starting Nmap 6.47 ( http://nmap.org ) at 2016-11-30 11:37 CST
Nmap scan report for server (000.00.000.00)
Host is up (0.000029s latency).
PORT STATE SERVICE
993/tcp open imaps
| ssl-enum-ciphers:
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_C BC_SHA — strong
| TLS_DHE_RSA_WITH_AES_256_C BC_SHA — strong
| TLS_DHE_RSA_WITH_CAMELLIA_ 128_CBC_SH A — strong
| TLS_DHE_RSA_WITH_CAMELLIA_ 256_CBC_SH A — strong
| TLS_ECDHE_RSA_WITH_3DES_ED E_CBC_SHA — strong
| TLS_ECDHE_RSA_WITH_AES_128 _CBC_SHA — strong
| TLS_ECDHE_RSA_WITH_AES_256 _CBC_SHA — strong
| TLS_RSA_WITH_3DES_EDE_CBC_ SHA — strong
| TLS_RSA_WITH_AES_128_CBC_S HA — strong
| TLS_RSA_WITH_AES_256_CBC_S HA — strong
| TLS_RSA_WITH_CAMELLIA_128_ CBC_SHA — strong
| TLS_RSA_WITH_CAMELLIA_256_ CBC_SHA — strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_C BC_SHA — strong
| TLS_DHE_RSA_WITH_AES_128_C BC_SHA256 — strong
| TLS_DHE_RSA_WITH_AES_128_G CM_SHA256 — strong
| TLS_DHE_RSA_WITH_AES_256_C BC_SHA — strong
| TLS_DHE_RSA_WITH_AES_256_C BC_SHA256 — strong
| TLS_DHE_RSA_WITH_AES_256_G CM_SHA384 — strong
| TLS_DHE_RSA_WITH_CAMELLIA_ 128_CBC_SH A — strong
| TLS_DHE_RSA_WITH_CAMELLIA_ 256_CBC_SH A — strong
| TLS_ECDHE_RSA_WITH_3DES_ED E_CBC_SHA — strong
| TLS_ECDHE_RSA_WITH_AES_128 _CBC_SHA — strong
| TLS_ECDHE_RSA_WITH_AES_128 _CBC_SHA25 6 — strong
| TLS_ECDHE_RSA_WITH_AES_128 _GCM_SHA25 6 — strong
| TLS_ECDHE_RSA_WITH_AES_256 _CBC_SHA — strong
| TLS_ECDHE_RSA_WITH_AES_256 _CBC_SHA38 4 — strong
| TLS_ECDHE_RSA_WITH_AES_256 _GCM_SHA38 4 — strong
| TLS_RSA_WITH_3DES_EDE_CBC_ SHA — strong
| TLS_RSA_WITH_AES_128_CBC_S HA — strong
| TLS_RSA_WITH_AES_128_CBC_S HA256 — strong
| TLS_RSA_WITH_AES_128_GCM_S HA256 — strong
| TLS_RSA_WITH_AES_256_CBC_S HA — strong
| TLS_RSA_WITH_AES_256_CBC_S HA256 — strong
| TLS_RSA_WITH_AES_256_GCM_S HA384 — strong
| TLS_RSA_WITH_CAMELLIA_128_ CBC_SHA — strong
| TLS_RSA_WITH_CAMELLIA_256_ CBC_SHA — strong
| compressors:
| NULL
|_ least strength: strong
Nmap done: 1 IP address (1 host up) scanned in 0.53 seconds
[root@web ~]# nmap —script ssl-enum-ciphers -p 995 «000.00.000.00»
Starting Nmap 6.47 ( http://nmap.org ) at 2016-11-30 11:38 CST
Nmap scan report for server (000.00.000.00)
Host is up (0.000029s latency).
PORT STATE SERVICE
995/tcp open pop3s
| ssl-enum-ciphers:
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_C BC_SHA — strong
| TLS_DHE_RSA_WITH_AES_256_C BC_SHA — strong
| TLS_DHE_RSA_WITH_CAMELLIA_ 128_CBC_SH A — strong
| TLS_DHE_RSA_WITH_CAMELLIA_ 256_CBC_SH A — strong
| TLS_ECDHE_RSA_WITH_3DES_ED E_CBC_SHA — strong
| TLS_ECDHE_RSA_WITH_AES_256 _CBC_SHA — strong
| TLS_RSA_WITH_CAMELLIA_256_ CBC_SHA — strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_C BC_SHA — strong
| TLS_DHE_RSA_WITH_AES_128_C BC_SHA256 — strong
| TLS_DHE_RSA_WITH_AES_128_G CM_SHA256 — strong
| TLS_DHE_RSA_WITH_AES_256_C BC_SHA — strong
| TLS_DHE_RSA_WITH_AES_256_C BC_SHA256 — strong
| TLS_DHE_RSA_WITH_AES_256_G CM_SHA384 — strong
| TLS_DHE_RSA_WITH_CAMELLIA_ 128_CBC_SH A — strong
| TLS_DHE_RSA_WITH_CAMELLIA_ 256_CBC_SH A — strong
| TLS_ECDHE_RSA_WITH_3DES_ED E_CBC_SHA — strong
| TLS_ECDHE_RSA_WITH_AES_128 _CBC_SHA — strong
| TLS_ECDHE_RSA_WITH_AES_128 _CBC_SHA25 6 — strong
| TLS_ECDHE_RSA_WITH_AES_128 _GCM_SHA25 6 — strong
| TLS_ECDHE_RSA_WITH_AES_256 _CBC_SHA — strong
| TLS_ECDHE_RSA_WITH_AES_256 _CBC_SHA38 4 — strong
| TLS_ECDHE_RSA_WITH_AES_256 _GCM_SHA38 4 — strong
| TLS_RSA_WITH_3DES_EDE_CBC_ SHA — strong
| TLS_RSA_WITH_AES_128_CBC_S HA — strong
| TLS_RSA_WITH_AES_128_CBC_S HA256 — strong
| TLS_RSA_WITH_AES_128_GCM_S HA256 — strong
| TLS_RSA_WITH_AES_256_CBC_S HA — strong
| TLS_RSA_WITH_AES_256_CBC_S HA256 — strong
| TLS_RSA_WITH_AES_256_GCM_S HA384 — strong
| TLS_RSA_WITH_CAMELLIA_128_ CBC_SHA — strong
| TLS_RSA_WITH_CAMELLIA_256_ CBC_SHA — strong
| compressors:
| NULL
|_ least strength: strong
Nmap done: 1 IP address (1 host up) scanned in 0.52 seconds
[root@web ~]# nmap —script ssl-enum-ciphers -p 8443 «000.00.000.00»