Hardened Kernels / Secured Images Series on AWS / Azure / GCP(Google Cloud)
While there are so many messages being floated around for end to end security, let us talk about the actual implementation of hardened kernels or secured images on azure and AWS with enhanced security.
The beauty of technology is in the end to end simplicity of execution. So,What it implies: I do not want to throw lot of big techy words to you to show off how much I know. This is not simplicity. It just shows my insecurity 🙂 so let us keep it simple.
What do we need?
The need is to implement Forward Secrecy in your server.
What a x509 certificate based security does,
A) Client used the public key of the server to encrypt the data and send it to the Server.
B) The server has the private key to decrypt this information. No issues , right?
But what if at this point, Somebody steals the private key, it then exposes all saves SSL sessions and future sessions from easy read.
To defeat, this what if this private key was changing everytime. Well since it is a combination of public/private key, we implement this in a different way ensuring that the KEY used to decipher changes every session.
This is simplistic form of end to end security and the Hype around end to end encryption. You can use this to hardned your web server like apache or Nginx. I am providing both of these. for users of other webservers, Just ping us, we shall help you.
PS: I am told by my support head that he has got a support forum coming out this month, well by the time you are reading this, if you can see it on right side.. then well he is a man of words 🙂
Implemeting SSL security On Apache
Let us configure your apache server. we want to implement Apache server for forward security. Requirement: Your webserver should support Elliptic Curve cryptography (ECC).
Minimum Required Versions for SSL/TLS library
- OpenSSL 1.0.1c+ / wait Given the recent Heartbleed bug and OpenSSl vulnerablity, min required version recommended by us is OpenSSL version 1.0.1hApache 2.4x
A) grep -i -r “SSLEngine” /etc/apache
B) This shall output all virtual hosts. Please go to Virtual hosts where you want to enable this. If you do not know where is your vhost file, believe me, this post is not for you 🙂 Just Joking. Go to vi /etc/apache2/sites-available/ you shall see all your vhost file.
C) Add following lines:
SSLProtocol all -SSLv2 -SSLv3 // enable SSL protocols
SSLHonorCipherOrder on // Enable order. remember the Beast !!!
SSLCipherSuite “EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4” // yes, i am disabling RC4. You might enable it at your own risk and a long lecture of why you should not do so.
D) service apache2 restart OR apachectl -k restart
Your Webserver is read for forward secrecy and the new hype of end to end security.
Nginx Configuration and implementation for SSL forward secrecy
A) The minimum support Nginx version is:
- OpenSSL 1.0.1c+( i have mentioned already the importance of Openssl 1.0.1h with heartbleed bug and other issues with openSSL security
- Nginx 1.0.6+ and 1.1.0+
B) grep -r ssl_protocol /etc/nginx // to get the available server blocks for nginx
C) ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
D) ssl_prefer_server_ciphers on;
E) ssl_ciphers “EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4”;
F) sudo service nginx restart // restart the service or if you are /etc/init.d fan then as per your wish and preference
And now your Azure image or AWS AMI is one step closer to be a hardened web server.