Getting more details about Red Hat Security Advisories and related CVEs

Two links for an in-depth explanation regarding Red Hat backporting security fixes process as well as compatibility between Red Hat security advisories and Mitre CVEs.

Backporting Security Fixes

Red Hat and CVE compatibility

Red Hat provides free access to two databases for errata and for CVE referenced in Red Hat products :

Red Hat Product Errata database

Red Hat CVE Database

Fail2ban

Per Fail2ban main page, Fail2ban is the de facto tool to have to monitor malicious access attempts on your server and ban source IPs if need be.

The 2 presentations presents Fail2Ban’s history and features in a very-well manner :

Fail2Ban – Keep your boxes skiddie-free

Fail2ban : from personal to community-driven

Github’s project page

Upgrade a rpm package on a couple of servers with a quick one-liner in Ansible

Upgrade a rpm package on a couple of servers with a quick one-liner in Ansible :

export ANSIBLE_INVENTORY=servers_list
ansible all -b --ask-become-pass -m yum "name=bash state=latest"

servers_list is the text file listing your servers.
Using the ANSIBLE_INVENTORY variable overrides the use of a generate inventory.
This one-liner makes use of the yum Ansible module.
Running sudo commands is possible with these options -b and –ask-become-pass

Disabling TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32) in Apache in CentOS 7.2.1511

To disable TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32) in Apache in CentOS 7.2.15111, remove any DES-based ciphers in your Apache ssl configuration file :

[root@localhost:~]# cat /etc/httpd/conf.d/ssl.conf
SSLHonorCipherOrder on
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

Make sure that your httpd config file syntax is OK :
[root@localhost:~]# apachectl configtest

Restart your web server :
[root@localhost:~]# systemctl restart httpd.service

Run a nmap scan with ssl-enum-ciphers script enabled :

[root@localhost:~]# nmap --script ssl-enum-ciphers -p 443 server_fqdn |grep 3DES

No DES-based ciphers should be displayed.

Disabling TLS version 1.0 in Apache in CentOS 7.2.1511

To disable TLS version 1.0 in Apache in CentOS 7.2.1511, update your Apache ssl configuration file with this option -TLSv1 :

[root@localhost:~]# cat /etc/httpd/conf.d/ssl.conf
SSLProtocol all -SSLv2 -SSLv3 -TLSv1

Make sure that your httpd config file syntax is OK :
[root@localhost:~]# apachectl configtest

Restart your web server :
[root@localhost:~]# systemctl restart httpd.service

Force a tlsv1 connection to your web server with openssl client s_client :

[root@localhost:~]# openssl s_client -connect server_fqdn:443 -tls1

If the output displays “alert handshake failure“, then tls version 1.0 has been disabled.

Disabling HTTP TRACE Method in Apache in CentOS 7.2.1511

To disable HTTP TRACE Method in Apache in CentOS 7.2.1511, enable the TraceEnable directive.

[root@localhost:~]# echo 'TraceEnable off' >> /etc/httpd/conf.d/httpd.conf

Restart your web server :

[root@localhost:~]# systemctl restart httpd.service

Check now that performing HTTP TRACE requests is no more allowed :

curl -v -X TRACE http://server_fqdn

If SSL/TLS is enabled :

curl -k -v -X TRACE https://server_fqdn

If you get a 405 HTTP response, then TraceEnable is off.