https://quicktasks.ismael.casimpan.com/tags/hardening/Recent content in hardening on IT QuicktasksHugo -- gohugo.ioCopyright © 2018–2022, Ismael Casimpan Jr.; All Rights ReservedSun, 07 Jun 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/hardened-ssl-cert/Sun, 07 Jun 2020 00:20:25 +0800https://quicktasks.ismael.casimpan.com/post/hardened-ssl-cert/ Apache 1SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 2SSLProtocol All -SSLv2 -SSLv3 3SSLHonorCipherOrder On 4Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" 5Header always set X-Frame-Options SAMEORIGIN 6Header always set X-Content-Type-Options nosniff 7# Requires Apache >= 2.4 8SSLCompression off 9SSLSessionTickets Off 10SSLUseStapling on 11SSLStaplingCache "shmcb:logs/stapling-cache(150000)" Nginx 1ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; 2ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 3ssl_prefer_server_ciphers on; 4ssl_session_cache shared:SSL:10m; 5# 'always' requires nginx >= 1.7.5, see http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header 6add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always; 7add_header X-Frame-Options SAMEORIGIN always; 8add_header X-Content-Type-Options nosniff always; 9ssl_session_tickets off; 10ssl_stapling on; # Requires nginx >= 1.https://quicktasks.ismael.casimpan.com/post/hardening-mysql/Sun, 08 Apr 2018 23:31:14 +0800https://quicktasks.ismael.casimpan.com/post/hardening-mysql/ 1icasimpan@am2018:~$ sudo mysql_secure_installation 23Securing the MySQL server deployment. 45Connecting to MySQL using a blank password. 67VALIDATE PASSWORD PLUGIN can be used to test passwords 8and improve security. It checks the strength of password 9and allows the users to set only those passwords which are 10secure enough. Would you like to setup VALIDATE PASSWORD plugin? 1112Press y|Y for Yes, any other key for No: Y 1314There are three levels of password validation policy: 1516LOW Length >= 8 17MEDIUM Length >= 8, numeric, mixed case, and special characters 18STRONG Length >= 8, numeric, mixed case, special characters and dictionary file 1920Please enter 0 = LOW, 1 = MEDIUM and 2 = STRONG: 8 2122Invalid option provided.