CPM instance hardening for vulnerability scans

CPM instance hardening for vulnerability scans

In order to perform the below operations, you need to connect to the instance with SSH (your assigned private key and username: "cpmuser").

1) (Only in v2.3 and up) To enforce usage of TLS 1.2, please edit the file /etc/apache2/mods-enabled/ssl.conf.
Replace this line:
SSLProtocol all -SSLv3
With this:
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1

Then restart Apache:
sudo service apache2 restart

Please note that after this change, all remote Agents older than v2.3 won't be able to connect anymore.

2) To disable vulnerable ciphers and MAC algorithms in SSH, please edit the file /etc/ssh/sshd_config.
Add the following 2 lines:
ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
and
for v2.5.x and earlier:
macs hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-128@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com
for v2.6.x and later:
macs hmac-sha2-256,hmac-sha2-512,umac-128@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com

Then restart the SSH service:
sudo service ssh restart

3) If you need to install a CA SSL certificate, here are the instructions:
a) Replace the 2 files in /opt/n2wsoftware/cert folder: cpm_server.crt and cpm_server.key
b) You will need to use "sudo" to reach this folder. Please keep ownership and permissions of the file ("cp" will do it).
c) At the end type:
sudo service apache2 restart

4) If you are using CPM older than v2.3, you can disable vulnerable ciphers in Apache by making the following changes in /etc/apache2/mods-available/ssl.conf:
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLHonorCipherOrder on

Then restart the "apache2" service
sudo service apache2 restart

5) Follow this KB to update Ubuntu with all the latest security updates: https://support.n2ws.com/portal/kb/articles/how-to-update-the-ubuntu-distribution-on-the-cpm-instance