[网络协议]Centos7加密漏洞修复

1、SSL Medium Strength Cipher Suites Supported (SWEET32) && TLS Version 1.0 Protocol Detection

以traefik.toml为例

[entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
      minVersion = "VersionTLS12"
      cipherSuites = [
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_RSA_WITH_AES_256_GCM_SHA384"
       ]

2、HSTS Missing From HTTPS Server (RFC 6797)

以traefik.toml为例需要去除http访问，redirect也不可以，只能使用https

[entryPoints]
  #[entryPoints.http]
  #address = ":80"
  #  [entryPoints.http.redirect]
  #    entryPoint = "https"
      #permanent = true
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
      minVersion = "VersionTLS12"
      cipherSuites = [
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_RSA_WITH_AES_256_GCM_SHA384"
       ]

3、SSH Weak Key Exchange Algorithms Enabled && SSH Server CBC Mode Ciphers Enabled

3.1、打开ssh配置文件：

vim /etc/ssh/sshd_config

最后添加以下三行加密方式

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour
Macs hmac-sha1,hmac-ripemd160
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1

3.2、重启sshd

systemctl restart sshd

3.3、如果报错Directive 'Ciphers' is not allowed within a Match blo

如果配置了如下两行，那就把需要添加的放到这个上面即可

Subsystem sftp internal-sftp
Match Group sftp

3.4、ssh验证（可跳过）

[root@localhost ~]# ssh -vv -oCiphers=aes128-cbc,3des-cbc,blowfish-cbc  目标IP
[root@localhost ~]# ssh -vv -oMACs=hmac-md5  目标IP

3.5、nmap验证（可跳过）

nmap --script ssh2-enum-algos -sV -p 22  目标IP
……
Unable to negotiate with 127.0.0.1 port 22: no matching cipher found. Their offer: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour
……