server-side-tls
tinyssh
server-side-tls | tinyssh | |
---|---|---|
37 | 8 | |
1,119 | 1,389 | |
0.2% | - | |
2.5 | 5.0 | |
about 2 months ago | 10 days ago | |
HTML | C | |
Mozilla Public License 2.0 | Creative Commons Zero v1.0 Universal |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
server-side-tls
- Mozilla SSL Configuration Generator
-
Always updated, latest crypto best-practice documents
Not a document, but there's the Mozilla SSL configurator that's updated with best practices every time they change.
-
Traefik doesn't work, NPM does
http: ## EXTERNAL ROUTING - Only use if you want to proxy something manually ## routers: ## SERVICES ## services: ## MIDDLEWARES ## middlewares: # Only Allow Local networks local-ipwhitelist: ipWhiteList: sourceRange: - 127.0.0.1/32 # localhost - 192.168.1.1/24 # LAN Subnet # Security headers securityHeaders: headers: customResponseHeaders: X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex" X-Forwarded-Proto: "https" server: "" customRequestHeaders: X-Forwarded-Proto: "https" sslProxyHeaders: X-Forwarded-Proto: "https" referrerPolicy: "same-origin" hostsProxyHeaders: - "X-Forwarded-Host" contentTypeNosniff: true browserXssFilter: true forceSTSHeader: true stsIncludeSubdomains: true stsSeconds: 63072000 stsPreload: true # Only use secure ciphers - https://ssl-config.mozilla.org/#server=traefik&version=2.6.0&config=intermediate&guideline=5.6 tls: options: default: minVersion: VersionTLS12 cipherSuites: - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- Securing your VPS - the lazy way
-
SSL Bridging with Exchange 2019 issues
global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners stats timeout 30s user haproxy group haproxy daemon # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # generated 2023-04-23, Mozilla Guideline v5.6, HAProxy 2.2.9-2, OpenSSL 1.1.1n, intermediate configuration # https://ssl-config.mozilla.org/#server=haproxy&version=2.2.9-2&config=intermediate&openssl=1.1.1n&guideline=5.6 # intermediate configuration ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam ssl-dh-param-file /etc/ssl/dhparam2048 defaults log global mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http listen stats bind *:9090 stats enable stats uri /stats stats auth 12345678:12345678 stats refresh 30s stats show-legends #----------------------- # Front-end section # ------------------- # frontend fe_mail # receives traffic from clients bind :80 http-response set-header X-Frame-Options SAMEORIGIN http-response set-header X-Content-Type-Options nosniff http-response set-header Strict-Transport-Security max-age=63072000 mode http redirect scheme https code 301 if !{ ssl_fc } bind :443 ssl crt /etc/ssl/certs/exchange_certificate_and_key_nopassword.pem alpn h2,http/1.1 # Exchange Admin Center ACL List acl whitelist src 1.2.3.4/32 acl ecp_req url_beg /ecp http-request deny if ecp_req !whitelist acl xmail hdr(host) -i exchange.external-fqdn.co.uk acl autodiscover url_beg /Autodiscover acl autodiscover url_beg /autodiscover acl mapi url_beg /mapi acl rpc url_beg /rpc acl owa url_beg /owa acl owa url_beg /OWA acl eas url_beg /Microsoft-Server-ActiveSync acl eas url_beg /Microsoft-Server-activeSync acl ecp url_beg /ecp acl ews url_beg /EWS acl ews url_beg /ews acl oab url_beg /OAB acl default_for_mail url_beg / use_backend be_ex2019_owa if xmail owa use_backend be_ex2019_autodiscover if xmail autodiscover use_backend be_ex2019_mapi if xmail mapi use_backend be_ex2019_activesync if xmail eas use_backend be_ex2019_ews if xmail ews use_backend be_ex2019_rpc if xmail rpc use_backend be_ex2019_default if xmail default_for_mail frontend fe_exchange_imaps mode tcp option tcplog bind :993 name imaps default_backend be_exchange_imaps frontend fe_exchange_smtp mode tcp option tcplog bind :25 name smtp default_backend be_exchange_smtp frontend fe_exchange_smtps mode tcp option tcplog bind :587 name smtps default_backend be_exchange_smtps #------------------------------ # Back-end section #------------------------------ backend be_ex2019_autodiscover mode http server mail exchange.internal-fqdn.co.uk:443 check ssl verify none backend be_ex2019_mapi mode http server mail exchange,internal-fqdn.co.uk:443 check ssl verify none backend be_ex2019_rpc mode http server mail exchange.internal-fqdn.co.uk:443 check ssl verify none backend be_ex2019_owa mode http server mail exchange.internal-fqdn.co.uk:443 check ssl verify none backend be_ex2019_activesync mode http server mail exchange.internal-fqdn.co.uk:443 check ssl verify none backend be_exchange_imaps mode tcp server mail exchange.internal-fqdn.co.uk:993 backend be_ex2019_ews mode http server mail exchange.internal-fqdn.co.uk:443 check ssl verify none backend be_ex2019_default mode http server mail exchange.internal-fqdn.co.uk:443 check ssl verify none backend be_exchange_smtp mode tcp server mail exchange.internal-fqdn.co.uk:25 backend be_exchange_smtps mode tcp server mail exchange.internal-fqdn.co.uk:587
- Nginx not listening on port 81
-
Cipher Advice Please!
Mozilla has a nice tool for this https://ssl-config.mozilla.org/
-
Working Nginx Configuration Dump: Calibre-Web, Coturn, LittleLinkCustom/LinkStack, Matrix, Nextcloud, Plex, and TikiWiki
# specify time period during which the SSL session can be reused ssl_session_timeout 10m; # enable SSL session caching, you can also place this in your default site config. #Note: if you enabled caching in multiple configs nginx will not load. ssl_session_cache shared:SSL:60m; server { listen 80; server_name plex.domain.com; return 301 https://$server_name$request_uri; } #Upstream to Plex upstream plex_backend { #Set this to the IP address that appears in `ifconfig` (NATTED LAN IP or Public IP address) if you want the bandwidth meter in the server status page to work server 127.0.0.1:32400; keepalive 32; } server { send_timeout 100m; #Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause (e.g. Chrome) #Faster resolving, improves stapling time. Timeout and nameservers may need to be adjusted for your location Google's have been used here. resolver 8.8.4.4 8.8.8.8 valid=300s; resolver_timeout 10s; # define default SSL options ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; #Intentionally not hardened for security for player support and encryption video streams has a lot of overhead with something like AES-256-GCM-SHA384. ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:E> #Why this is important: https://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30/ ssl_stapling on; ssl_stapling_verify on; #For letsencrypt.org you can get your chain like this: https://esham.io/2016/01/ocsp-stapling ssl_trusted_certificate /etc/letsencrypt/live/plex.domain.com-0001/chain.pem; #Reuse ssl sessions, avoids unnecessary handshakes #Turning this on will increase performance, but at the cost of security. Read below before making a choice. #https://github.com/mozilla/server-side-tls/issues/135 #https://wiki.mozilla.org/Security/Server_Side_TLS#TLS_tickets_.28RFC_5077.29 #ssl_session_tickets on; ssl_session_tickets off; listen 443 ssl http2; listen [::]:443 ssl; server_name plex.domain.com; # These are the paths to your generated Let's Encrypt SSL certificates. ssl_certificate /etc/letsencrypt/live/plex.domain.com-0001/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/plex.domain.com-0001/privkey.pem; # managed by Certbot # To generate your dhparam.pem file, run `openssl dhparam -out /etc/nginx/dhparam.pem 2048` (without the quotes) in your terminal. ssl_dhparam /etc/nginx/dhparam.pem; ssl_ecdh_curve secp384r1; #add_header Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; font-src 'self';"; #Will ensure https is always used by supported browsers which prevents any server-side http > https redirects, as the browser will internally correct any request to https. #Recommended to submit to your domain to https://hstspreload.org as well. #!WARNING! Only enable this if you intend to only serve Plex over https, until this rule expires in your browser it WONT BE POSSIBLE to access Plex via http, remove 'includeSubDomains;' if you only want it to effect your Plex (sub-)domain. #This is disabled by default as it could cause issues with some playback devices it's advisable to test it with a small max-age and only enable if you don't encounter issues. (Haven't encountered any yet) add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; #Plex has A LOT of javascript, xml and html. This helps a lot, but if it causes playback issues with devices turn it off. (Haven't encountered any yet) gzip on; gzip_vary on; gzip_min_length 1000; gzip_proxied any; gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml; gzip_disable "MSIE [1-6]\."; #Nginx default client_max_body_size is 1MB, which breaks Camera Upload feature from the phones. #Increasing the limit fixes the issue. Anyhow, if 4K videos are expected to be uploaded, the size might need to be increased even more client_max_body_size 0; error_log /var/log/nginx/openmediavault-plex_error.log error; access_log /var/log/nginx/openmediavault-plex_access.log combined; #Forward real ip and host to Plex proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; #When using ngx_http_realip_module change $proxy_add_x_forwarded_for to '$http_x_forwarded_for,$realip_remote_addr' proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Sec-WebSocket-Extensions $http_sec_websocket_extensions; proxy_set_header Sec-WebSocket-Key $http_sec_websocket_key; proxy_set_header Sec-WebSocket-Version $http_sec_websocket_version; #Websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; #Disables compression between Plex and Nginx, required if using sub_filter below. #May also improve loading time by a very marginal amount, as nginx will compress anyway. #proxy_set_header Accept-Encoding ""; #Buffering off send to the client as soon as the data is received from Plex. proxy_redirect off; proxy_buffering off; location / { #Example of using sub_filter to alter what Plex displays, this disables Plex News. #sub_filter ',news,' ','; #sub_filter_once on; #sub_filter_types text/xml; proxy_pass http://plex_backend; } #PlexPy forward example, works the same for other services. #location /plexpy { #proxy_pass http://127.0.0.1:8181; #} }
- TLS Cipher Suite Hardening
-
disabling TLS 1.0, TLS 1.1 and weak ciphers
Mozilla SSL Configuration Generator
tinyssh
-
Ldd /usr/sbin/sshd – Alpine vs. Ubuntu for exploitability of CVE-2024-3094
While on topic of sshd having minimal dependencies, shout-out to Jan Mojžíš and his minimalist implementation:
https://github.com/janmojzis/tinyssh/
- Tinyssh
-
Large scale Internet SSH brute force attacks seem to have stopped here
> [after] hardening steps [...] most of the bots can't even negotiate a connection
Yep, same here, except I'm using [tinyssh], which organically does not support anything other than ed25519/curve25519, sha256, and chacha-poly.
[tinyssh] https://tinyssh.org/
-
OpenSSH 8.9
djb suggested that for openssh instead of the tinydns kex, so tinydns switched also:
https://github.com/janmojzis/tinyssh/issues/50
- tinyssh
- FreeBSD SSH Hardening
What are some alternatives?
laravel-echo-server - Socket.io server for Laravel Echo
dropbear - Dropbear SSH
lua-nginx-module - Embed the Power of Lua into NGINX HTTP servers
ssh-audit - SSH server & client security auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc)
awesome-tls-security - A collection of (not-so, yet) awesome resources related to TLS, PKI and related stuff
Samba - https://gitlab.com/samba-team/samba is the Official GitLab mirror of https://git.samba.org/samba.git -- Merge requests should be made on GitLab (not on GitHub)
CryptoLyzer - CryptoLyzer is a fast, flexible and comprehensive server cryptographic protocol (TLS, SSL, SSH, DNSSEC) and related setting (HTTP headers, DNS records) analyzer and fingerprint (JA3, HASSH tag) generator with Python API and CLI/.
testssl.sh - Testing TLS/SSL encryption anywhere on any port
njs - An official read-only mirror of http://hg.nginx.org/njs/ which is updated hourly.
yubikey-agent - yubikey-agent is a seamless ssh-agent for YubiKeys.
ssh-tarpit - SSH tarpit that slowly sends an endless banner