Amazon ELB Protocols & Ciphers for PCI Compliance

If you are terminating SSL on Amazon’s Elastic Load Balancer  and need PCI Compliance, these are the protocols and ciphers I used that passed PCI Compliance

SSL Protocols

  • Protocol-SSLv3
  • Protocol-TLSv1.1
  • Protocol-TLSv1.2

SSL Ciphers

  • AES128-SHA
  • AES256-SHA
  • DES-CBC3-SHA

Adding RC4-MD5 & RC4-SHA and a few others will not fail a PCI scan however they come up as low vulnerabilities with CVSS  scores averaging 2.6. I was aiming for an all-zeros scan result.
Not enabling these had no knock on effects.

You can also run a Qualys SSL Lab test – https://www.ssllabs.com/ssltest/ to check your protocols & ciphers before running a full PCI scan.

Using the SSL Lab test tool and Nessus I was able to achieve an all-zeros PCI scan and an A rating SSL Certificate test

SSH Error – ssh-error-trying-to-get-more-bytes-4-than-in-buffer-0

ssh-error-trying-to-get-more-bytes-4-than-in-buffer-0
I’ve bumped into this message a few times on different servers. The message offers no insight into why you can’t connect to a remote server over SSH.
It usually means the the ~/.ssh/authorized_keys  file is corrupt, for example there is an incorrect or single corrupt line in this file. I’d recommend stepping through line by line and finding the offending line.

 

How to Disable SSL 2.0 in IIS 7 (and 7.5)

Disabling SSL 2.0 in IIS is a critical requirement to pass PCI Certification. I have no idea why IIS 7 ships with it still enabled, perhaps for super old browsers? We should only use stronger SSL 3.0 or TLS 1.0.

Here’s how to disable it in IIS 7 and IIS 7.5 Continue reading “How to Disable SSL 2.0 in IIS 7 (and 7.5)”

SSH Timeouts on DOCSIS 3 (Virgin Media 50Mb, 100Mb, 120Mb)

Since moving to Virgin’s 120Mb Broadband my SSH connections would drop after 30 seconds of inactivity. This made some grey hairs appear on the side of my head.

This happens due to the way Virgin handle the Internet traffic on their DOCSIS 3 network, as opposed to lower broadband speeds that use the DOCSIS 1 network.

I’ve managed to solve this by altering the client time out parameters in the SSHD config on each server. Continue reading “SSH Timeouts on DOCSIS 3 (Virgin Media 50Mb, 100Mb, 120Mb)”

Disabling Dangerous PHP Functions in a Shared Environment

PHP is an incredibly versatile language and if used in the wrong way, either maliciously or by accident has the potential to mess up an entire webserver. This can be a major problem if you are offering a shared hosting environment.

There is an often overlooked php.ini setting called disable_functions at hand. Continue reading “Disabling Dangerous PHP Functions in a Shared Environment”

tcptrack

tcptrack is a sniffer which displays information about TCP connections it sees on a network interface. It passively watches for connections on the network interface, keeps track of their state and displays a list of connections in a manner similar to the unix ‘top’ command. It displays source and destination addresses and ports, connection state, idle time and superbly impressive – bandwidth usage.

A server admin must have.

Continue reading “tcptrack”

cPanel Apache Tuning

One of the first things I do is run /scripts/easyapache and rebuild my PHP / Apache configuration.
I usually select Apache 2.2 and PHP 5.2.9. At the time of writing I stay away from the 5.3 versions as they aren’t supported by programs and programmers enough yet.

Although this guide was originally inspired from a cPanel install, its Apache specific and doesn’t require cPanel.

  1. Continue reading “cPanel Apache Tuning”