Securing Your Web Server
Does having an SSL certificate on your server makes it secure?
Interesting question!
Well, there are many factors that determine the secure server.
After building a TCP connection, the SSL handshake is started by the client. The client (which can be a browser as well as any other program such as Windows Update or PuTTY) sends a number of specifications:
- which version of SSL/TLS it is running,
- what ciphersuites it wants to use, and
- what compression methods it wants to use.
The SSL certificate provides the encryption mechanism when the information is sent from server to the client. Weak SSL/TLS protocols will result in man-in-the-middle attacks. To secure the server and only enable strong protocols and SSL ciphersuites is your task. It’s your part to harden the server. If you’re not aware of these issues then your server is likely to get compromised.
Here I’ve listed ways in which you can harden your server.
- First is to disable the weak SSL protocols: SSLv2, SSLv3, TLSv1
- Disable weak SSL ciphersuites RC4, MD5, DES.
For apache server you need to modify the ssl.conf file located in /etc/apache2/mods-available/ssl.conf
Be sure to check if any other SSL configuration exists in the sites-available folder that may be overriding your SSL configuration.
For Nginx,
Modify your nginx.conf file.
Mozilla updates the SSL configuration guide; you can generate your configuration as per your server software version.
https://mozilla.github.io/server-side-tls/ssl-config-generator/
Also, be sure to restart your server after modification of the configuration file.
You can check your server security status here if you have any SSL certificates installed.
https://www.ssllabs.com/ssltest/
https://cryptoreport.geotrust.com/checker/views/certCheck.jsp
