N2W Software

            CPM instance hardening for vulnerability scans

            In order to perform the below operations, you need to connect to the instance with SSH (your assigned private key and username: "cpmuser").

            1) (Only in v2.3 and up) To enforce usage of TLS 1.2, please edit the file /etc/apache2/mods-enabled/ssl.conf.
            Replace this line:
            SSLProtocol all -SSLv3
            With this:
            SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1

            Then restart Apache:
            sudo service apache2 restart

            Please note that after this change, all remote Agents older than v2.3 won't be able to connect anymore.

            2) To disable vulnerable ciphers and MAC algorithms in SSH, please edit the file /etc/ssh/sshd_config.
            Add the following 2 lines:
            ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
            and
            for v2.5.x and earlier:
            macs hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-128@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com
            for v2.6.x and later:
            macs hmac-sha2-256,hmac-sha2-512,umac-128@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com

            Then restart the SSH service:
            sudo service ssh restart

            3) If you need to install a CA SSL certificate, here are the instructions:
            a) Replace the 2 files in /opt/n2wsoftware/cert folder: cpm_server.crt and cpm_server.key
            b) You will need to use "sudo" to reach this folder. Please keep ownership and permissions of the file ("cp" will do it).
            c) At the end type:
            sudo service apache2 restart

            4) If you are using CPM older than v2.3, you can disable vulnerable ciphers in Apache by making the following changes in /etc/apache2/mods-available/ssl.conf:
            SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
            SSLHonorCipherOrder on

            Then restart the "apache2" service
            sudo service apache2 restart

            5) Follow this KB to update Ubuntu with all the latest security updates: https://support.n2ws.com/portal/kb/articles/how-to-update-the-ubuntu-distribution-on-the-cpm-instance
            Helpful?  
            Help us to make this article better
            3 0