CSF security check

Portal Home > Knowledgebase > Articles Database > CSF security check

Posted by Chinese Democracy, 04-20-2009, 07:25 PM
I'm running CSF on a Cpanel server and have questions about new features in CSF Apache Check Check Apache weak SSL/TLS Ciphers (SSLCipherSuite) Results Cipher list []. Due to weaknesses in the SSLv2 cipher you should disable SSLv2 in WHM > Apache Configuration > Global Configuration > SSLCipherSuite > Add -SSLv2 to SSLCipherSuite and/or remove +SSLv2. Do not forget to Save AND then Rebuild Configuration and Restart Apache, otherwise the changes will not take effect in httpd.conf Can someone explain this in laymen terms? I know this is new in Cpanel. I'm already running Apache 2.2, PHP 5.2.9 with suPHP enabled and mod_security as well (these rules: http://www.uhgbug.com/index.php/2009...calapache.html ) Also, what exactly are these CSF checks? Check csf PT_SKIP_HTTP option This option disables checking of processes running under apache and can limit false-positives but may then miss running exploits Check csf SAFECHAINUPDATE option This option closes a window of opportunity that opens when dynamic chain updates occur
Posted by CiscoMike, 04-20-2009, 07:32 PM
This just means that your web server would accept SSLv2 based connections. The issue here is that SSLv2 is vulnerable to MitM style of attacks and uses weaker ciphers for encryption. Most modern browsers do not support SSLv2 anymore and default to SSLv3 and/or TLSv1 but it's still a good practice to not allow your web daemon to accept connections on SSLv2 just to play it safe. Even if you aren't running any websites using HTTPS, it's a good practice to disable it. Don't sweat this one, this just closes a theoretical loophole that when the bogon, Spamhause and denied host lists gets reloaded, you aren't potentially exposed to hosts in those lists being able to access your server during the IPTable flush. It's likely not going to be an issue since an attacker on those lists would only have a 1-3 second window of opportunity and have to know when you are flushing your tables. That's why the default is set to off.
Posted by Chinese Democracy, 04-20-2009, 07:37 PM
Thanks Mike. Can you please explain how to actually *resolve* the Cipher security warning? I currently have the default set: Is there any side effect to modifying this to version 3? What would you recommend the setting to be (in full)? Thanks
Posted by Chinese Democracy, 04-20-2009, 09:49 PM
In regards to the new mod security rules I implemented (see first post link), I'm now getting dozens and dozens of these 443/80 email blocks from mod security (unique IP's, not one person) example: tcp:in:d=80=xxx.201.76.100 # lfd: 5 (mod_security) login failures from xxx.201.76.100 in the last 300 secs - Mon Apr 20 18:31:27 2009 tcp:in:d=443=xxx.201.76.100 # lfd: 5 (mod_security) login failures from xxx.201.76.100 in the last 300 secs - Mon Apr 20 18:31:27 2009 I just flushed for now about 30 of these, all unique IP's. Is this normal to get so many blocks? It is a shared cpanel server to clarify.