Fixing Nessus complaints

1. DNS cache snooping

Thread< devoted to this topic.

Final solution from /etc/named.conf:

acl internal    { clients; servers; };
options {
   allow-query { internal; };
   allow-recursion { any; };
};
zone "ourdom.com" {
   allow-query { any; };
};
zone "20.10.in-addr.arpa" {
   allow-query { any; };
};
<

2. Gopher support in squid

Mail< explaining the solution.

Final solution from /etc/squid/squid.conf:

acl gopher url_regex ^gopher://
http_access deny gopher 
#@@refresh_pattern ^gopher:   1440    0%      1440
#@@acl Safe_ports port 70     # gopher
<

3. Disable TRACE/TRACK in Apache

Add to /etc/httpd/conf/httpd.conf

TraceEnable off<

4. SSLv2 and weak ciphers

4.1. in Apache

Document< on how to configure.

Put this line in httpd.conf:

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP<

You can check that SSLv2 is disabled by running this from the shell/command line:

openssl s_client -connect localhost:443 -ssl2<

If you get lines like these, SSLv2 is disabled:

419:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:
420:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list:s2_clnt.c:450:<

4.2. in Fedora DS

Final cipher line from /etc/dirsrv/slapd-ourserver/dse.ldif:

nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,-rsa_rc4_40_md5,-rsa_rc2_40_md5,
  +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+f
  ortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_
  rsa_export1024_with_des_cbc_sha<

4.3. in Webmin

Via this mail.<

To get SSLv2 turned off in Webmin:

  1. Upgrade to at least 1.430+
  2. Webmin -> Webmin Configuration -> SSL Encryption
  3. Enter "HIGH:-SSLv2:-aNULL" into the "Allowed SSL Ciphers" field
  4. Restart Webmin

You can check that SSLv2 is disabled by running this from the shell/command line:

openssl s_client -connect localhost:10000 -ssl2<

If you get lines like these, SSLv2 is disabled:

419:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:
420:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list:s2_clnt.c:450:
<

4.4. in Windows

Mails about disabling SSLv2< and weak ciphers<.

Final solution: create and set the following DWORD keys in registry:

HKLMachine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL:
   ... \Protocols\SSL 2.0\Server\Enabled = 0
   ... \Ciphers\RC2 40/128\Enabled = 0
   ... \Ciphers\RC4 40/128\Enabled = 0
   ... \Ciphers\RC4 56/128\Enabled = 0
<