Skip to main content

Vulnerbilities affecting Web and Mail Servers - Logjam-Freak

By Er.Susheel

 Recently we came across a vulnerability know as Logjam which according to researchers any attacker or Man in the middle can exploit weak Diffie–Hellman key Algorithm.

this vulnerability has denoted with CVE number as CVE-2015-4000. 


How DH Algorithm gets exploited


Traditionally, secure encrypted communication between two parties (here browser and servers) required that they first exchange keys by some secure physical channel.The Diffie–Hellman key exchange method allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure channel. 

 Here attacker can force the communication between the server and browser to downgrade to lower bit export grade cryptography.

 The attackers can attacks any servers that support DHE_EXPORT ciphers and affects mostly all browsers.

Recommendation :


1) Disable Export Cipher Suites


Even though modern browsers no longer support export suites, the FREAK and Logjam attacks allow a man-in-the-middle attacker to trick browsers into using export-grade cryptography, after which the TLS connection can be decrypted. No modern clients rely on export suites and there is little downside in disabling them.

 Put below Cipher in your configurations ,this cipher will support wide range of clients thus this configuration is default and is recommended by Mozilla community.

 ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA





2)Deploy (Ephemeral) Elliptic-Curve Diffie-Hellman (ECDHE) Cipher


   above Cipher will enable ECDHE also

3) Use a Strong, Diffie Hellman Group


 Current DH bit is of 1024,so you need to generate custom  2048  bit DH parameters different from Oakley group 2 (in this group Diffie-Hellman exchange is negotiated)

 To Generate the Strong DH group use below command on your linux machine.

openssl dhparam -out dhparams.pem 2048




The command will take some time to generate,once its done, use dhparams.pem in your configuration and reload the services.






Services which need to be updated with Ciphers and custom DH groups we just generated.



 lighttpd

Tomcat

Postfix

Sendmail

Dovecot

HAproxy

Openssh





====================================X============X=================================================



Contact support@linuxforeveryone for any Freelancing work on Linux Servers



Subscribe my YouTube Channel 



Like My Facebook Page 



Browse the Best in class Web Hosting Plans













Labels:

































Comments









  1. AnonymousWednesday, November 25, 2015 at 3:15:00 PM PST
    Nice article, one question. do i have to generate the pem on the same server where i have to fix the issue or it can be generated anywhere ?
    ReplyDelete
  2. Er.SusheelThursday, December 3, 2015 at 11:23:00 AM PST
    The PEM file can be generated on any server.
    ReplyDelete
  3. garecaffertyThursday, March 3, 2022 at 11:59:00 PM PST
    How to withdraw winnings from online casino - JT Hub
    Betway Casino bonus 경기도 출장안마 codes | 속초 출장샵 Betway online 부천 출장마사지 casino no deposit bonus code for 2021 | Betway casino bonus codes | Betway online 목포 출장샵 casino 이천 출장마사지 free spins no deposit
    ReplyDelete











Post a Comment






























Popular posts from this blog



















Multiple instances of redis












By


Er.Susheel




















    In the last post I have covered how to install redis server on Centos/Rhel using rpm method and yum method and some troubleshooting skills.   In this post i am going to cover how to install and configure redis to run with multiple ports.                                                                                  But why we need more ports ?        If you have read my earlier post , you already know that by default redis runs on single port 6379, which any one can use it for small website to cache the data. But for heavy website like magento we need to use additional ports along with 6379 to serve different cache from different ports.   Like in Magento there is simple cache which is normally stored under /var/cache directory. Then there is Full Page Cache which is stored under /var/full_page_cache...




















35 comments









Read more






























arbtd: Package isn't signed with proper key












By


Linux For Every One




















  If you are System Admin and worked on linux machine or servers in your current job or in past. Chances are you might come across linux service abrtd, even if you have not worked on it. but might be through some other work. same thing happened to me, while I was doing my regular work of installing php packages on linux  servers , i came across this error for which spent couple of hours actually to resolve it. T he error was 




















Post a Comment









Read more






























Solution and Step to fix CVE-2019-5736 Vulnerability - Docker












By


Linux For Every One




















 Recently a new vulnerability has been discovered in the the internet market having target to Docker services.    What is this Vulnerability:    In short, Docker service uses another service called as runc which is container run time to spawn and run containers. which simply means if docker task is to create docker images then runc task would be running them and attaching a process to container.   So as per the recent discovery by the maintainers of runc, the code of this service was having some bug which can be used by attackers to gain the root level of access of the host machine on which docker containers are running.        How it can be Exploited:    This vulnerability can be exploited in two ways (1) if the docker images are in use is vulnerable making the containers build from it vulnerable also (2) if somehow attacker got the access of containers and then trying to exploit using the bug present in runc and trying to get root privileges.     Solution to Fix Vulnerability:     Ce...




















1 comment









Read more