Server security

Hello All,

After doing a scan from detectify to the server I find few critical vulnerabilities which I wanted to protect globally from server side by default.

Below screenshot from Detectify

I added below code to /etc/nginx/conf.d/xx.xxx.xxx.xx:xx.conf

Blockquote
erver {
listen xx.xxx.xxx.xx:xx default;
server_name _;
#access_log /var/log/nginx/xx.xxx.xxx.xx.log main;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection “1; mode=block”;

location / {
    proxy_pass  http://xx.xxx.xxx.xx:8080;

}
}

But does not seem to work after another scan server still show Cross Site Scripting (XSS) and other yellow critical.

Would you advise the best way to protect the server against these kind of attacks?

Many thanks

@Gras have you seen this site below for security settings?

https://syslink.pl/cipherlist/

Has Apache, Nginx, Exim, MySQL, Dovecot + more.
I have used these as a base for PCI compliance, some require a little tweaking to work with Hestia.

@salnz many thanks for this.
I have added apache and nginx .Would be great to have a guide to make server very secure or have these security by in config by default.

No problem @Gras most of the securing rules are at the site link and update to current standards.

my new configurations I have added to the end of the configuration files below lines:

/etc/apache2/apache2.conf

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM
# Requires Apache 2.4.36 & OpenSSL 1.1.1
SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
# Older versions
# SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On

<IfModule mod_headers.c>
  <Directory />
    Header always set X-XSS-Protection "1; mode=block"
    Header always set x-Frame-Options "SAMEORIGIN"
    Header always set X-Content-Type-Options "nosniff"
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    Header always set Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;"
    Header always set Referrer-Policy "strict-origin"
  </Directory>
</IfModule>

# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off

/etc/nginx/nginx.conf inside http {

ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout  10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

Please can you give me your outcome to see if it is the correct way to setup?

thank you

My rules are very strict maybe too strict but need for PCI and get A+ rating, I will check my Apache settings and they are all for Hestia

Nginx

add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy same-origin;
add_header X-XSS-Protection “1; mode=block”;
add_header Expect-CT ‘max-age=60’;
add_header X-Permitted-Cross-Domain-Policies master-only;
add_header Strict-Transport-Security ‘max-age=31536000; includeSubDomains; preload’;
add_header Content-Security-Policy “default-src ‘self’;”;
add_header Content-Security-Policy-Report-Only “default-src ‘self’”;
add_header Feature-Policy “geolocation ‘none’; camera ‘none’; speaker ‘none’;”;

For Exim

tls_require_ciphers = SECURE256:-ARCFOUR-128:-AES-128-CBC:-CAMELLIA-128-CBC:!VERS-SSL3.0:!VERS-TLS1.0:!VERS-TLS1.1:+VERS-TLS1.2

Part 1

Nginx
add under PCI section

ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_buffer_size 1400;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers “EECDH+AESGCM:EDH+AESGCM”;
ssl_dhparam /etc/ssl/dhparam.pem;
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
resolver 8.8.8.8 8.8.4.4 valid=300s ipv6=off;
resolver_timeout 5s;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy same-origin;
add_header X-XSS-Protection “1; mode=block”;
add_header Expect-CT ‘max-age=60’;
add_header X-Permitted-Cross-Domain-Policies master-only;
add_header Strict-Transport-Security ‘max-age=31536000; includeSubDomains; preload’;
add_header Content-Security-Policy “default-src ‘self’;”;
add_header Content-Security-Policy-Report-Only “default-src ‘self’”;
add_header Feature-Policy “geolocation ‘none’; camera ‘none’; speaker ‘none’;”;

Apache
Under conf-enabled folder in apache2 file security.conf the first 2 are near the top

ServerTokens Prod

ServerSignature Off

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM

Requires Apache 2.4.36 & OpenSSL 1.1.1

SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security “max-age=63072000; includeSubDomains; preload”
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff

Requires Apache >= 2.4

SSLCompression off
SSLUseStapling on
SSLStaplingCache “shmcb:logs/stapling-cache(150000)”

Requires Apache >= 2.4.11

SSLSessionTickets Off

Setting this header will prevent MSIE from interpreting files as something
else than declared by the content type in the HTTP headers.
Requires mod_headers to be enabled.

Header set X-Content-Type-Options: “nosniff”

Part 2.

Apache.conf

Global configuration

PidFile ${APACHE_PID_FILE}
Timeout 30
KeepAlive Off
MaxKeepAliveRequests 100
KeepAliveTimeout 10
Header set Access-Control-Allow-Origin “*”
SSLProtocol TLSv1.2

Further down change this to the below

HostnameLookups Off

Server fails with above when add just below Global confifuration

Access-Control-Allow-Origin could be a bad idea any third site now every site could create a Ajax request to your website and include any thing with it…

Unless you need it (for an app, website, client) I suggest disable it…

1 Like

as @eris pointed out you don’t need that setting, I think that setting I had to test cdn provider but later removed as was better without it and more secure.

You need to change the configs above to match your use / server or vps requirements. The above is running on Ubuntu 18.0.4. I also have latest apache2 installed not standard Hestia installed one.

Just remove these from apache2.conf if you added it
Header set Access-Control-Allow-Origin “*”
SSLProtocol TLSv1.2

1 Like

This is a useful tool too.

https://ssl-config.mozilla.org/

I’m now seeing that since the last time I visited, it also has configs for exim, dovecot etc!

I will probably open a separate issue on Github to track this one, but just wanted to quickly make a note that HestiaCP’s passwd file for mail accounts (used by Dovecot for IMAP/POP auth and Exim4) uses MD5-CRYPT:

/etc/dovecot/conf.d/auth-passwdfile.conf.ext: args = scheme=MD5-CRYPT username_format=%n /etc/exim4/domains/%d/passwd

I’m not sure about the current state of salted MD5 shadow file decryption, but I think it is recommended to use something better, like SHA256-CRYPT

Ref: https://wiki1.dovecot.org/Authentication/PasswordSchemes

PS: The MD5 vs SHA256 issue would only be of concern in case the HestiaCP server gets hacked, because the salted MD5 can be cracked with tools like “john”.

1 Like

thank you for this useful information. Since i have been trying several configs and possible finding out few things and questions are coming up

  1. what is the difference between
    /etc/apache2/conf.d/ip.conf
    and
    /etc/apache2/apache.conf

  2. I’ve been trying to change this file
    /etc/apache2/conf.d/ip.conf
    and created a backup for ip.conf_backup_original
    however on first trial the ip.conf did not work and therefore I sudo cp ip.conf_backup_original ip.conf back to normal.
    Afterwards noticed apache service was not starting until i did sudo service apache2 status and noticed the server was trying to start with the backup file.
    Why did not pick the correct file name ip.conf ? what triggers this sudden change to ip.conf_backup? The solution was to remove the backup file.

/etc/apache2/conf.d/ ip.conf

Is the settings for that specific ip in case you have multiple ip adress you can run different “settings” on each ip if you want / demand. Due to the changes of SSL certificates it is not anymore required to require a IP address for each certificate (read few years ago)

Also to allow flexibility for the user and why not?

  1. In Apache2.conf you see
    Include conf.d/
    IncludeOptional conf.d/domains/*.conf

This will mean all files are inlcuded in the “apache2” even ip.with_non_standaard extensions or even Radom.string.that.could.be.causing .errors.nothing

good clarification. I have to be cautious with backup files. any advise on this ? how would you do with backup files if experimenting different configs?

Modify Include conf.d/
to

Include conf.d/*.conf

You are save. I think we should consider to change it maybe could you create a issue/bug report?

nice added my first issue/bug report :slight_smile: thanks

Hello All,

I have added below headers to /etc/apache2/conf-enabled/security.conf but they do not seem to work

Do I need to activate or include this folder into /etc/apache2/apache2.conf ?

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM
SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff

SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
SSLSessionTickets Off

Could be, Just check if in apache2.conf conf-enabled is loaded