Apache HTTPD : ETag Inode Information Leakage

Apache HTTPD : ETag Inode Information Leakage

This is an error that occurs during PCI scans. To remediate it, disable the ETag feature in your Apache configuration file.

Add FileETag None to /etc/httpd/conf/httpd.conf and restart your Apache server :

echo 'FileETag None' >> /etc/httpd/conf/httpd.conf

service httpd restart

Check if the ETag information are present in the http headers sent by your Apache serverĀ  :

curl -I https://your_server_name/ -k

 

 

CIFS NULL session permitted

How to disable CIFS NULL session permitted on a Linux server to meet compliance requirements ?

rpcclient can help retrieve details about this server. Log in with an anonymous user :

rpcclient -U "" server_name

Once logged in, run either of these commands :

srvinfo
querydominfo

To leave rpcclient, run the quit command.

If you were able to logged in and if any of the commands display details, then CIFS null session is permitted.

To disable it, add the following parameters to your smb.conf file :

guest account = nobody
restrict anonymous = 1

Check Samba configuration file syntax with :

testparm smb.conf

Restart Samba daemons :

service smb restart
service nmb restart
service winbind restart

Run once again any of the commands within a new rpcclient session.
Any information should be available now.

Disabling TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32) in Apache in CentOS 7.2.1511

To disable TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32) in Apache in CentOS 7.2.15111, remove any DES-based ciphers in your Apache ssl configuration file :

[root@localhost:~]# cat /etc/httpd/conf.d/ssl.conf
SSLHonorCipherOrder on
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

Make sure that your httpd config file syntax is OK :
[root@localhost:~]# apachectl configtest

Restart your web server :
[root@localhost:~]# systemctl restart httpd.service

Run a nmap scan with ssl-enum-ciphers script enabled :

[root@localhost:~]# nmap --script ssl-enum-ciphers -p 443 server_fqdn |grep 3DES

No DES-based ciphers should be displayed.

Disabling TLS version 1.0 in Apache in CentOS 7.2.1511

To disable TLS version 1.0 in Apache in CentOS 7.2.1511, update your Apache ssl configuration file with this option -TLSv1 :

[root@localhost:~]# cat /etc/httpd/conf.d/ssl.conf
SSLProtocol all -SSLv2 -SSLv3 -TLSv1

Make sure that your httpd config file syntax is OK :
[root@localhost:~]# apachectl configtest

Restart your web server :
[root@localhost:~]# systemctl restart httpd.service

Force a tlsv1 connection to your web server with openssl client s_client :

[root@localhost:~]# openssl s_client -connect server_fqdn:443 -tls1

If the output displays “alert handshake failure“, then tls version 1.0 has been disabled.

Disabling HTTP TRACE Method in Apache in CentOS 7.2.1511

To disable HTTP TRACE Method in Apache in CentOS 7.2.1511, enable the TraceEnable directive.

[root@localhost:~]# echo 'TraceEnable off' >> /etc/httpd/conf.d/httpd.conf

Restart your web server :

[root@localhost:~]# systemctl restart httpd.service

Check now that performing HTTP TRACE requests is no more allowed :

curl -v -X TRACE http://server_fqdn

If SSL/TLS is enabled :

curl -k -v -X TRACE https://server_fqdn

If you get a 405 HTTP response, then TraceEnable is on.

Disabling RC4 cipher in Apache in CentOS 7.2.1511

To disable RC4 cipher in CentOS 7.2.1511, disable it in your Apache ssl config.

Display the current configuration :

[root@localhost:~]# grep -vEi '^(#|$)' /etc/httpd/conf.d/ssl.conf

Update your ssl configuration :

SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!RC4

Restart your Apache web server :

[root@localhost:~]# systemctl restart httpd.service

Test your new web server ssl configuration with openssl client s_client :

[root@localhost:~]# openssl s_client -cipher 'RC4' -connect server_fqdn:443

If the output displays “alert handshake failure“, then rc4 cipher has been disabled.