I configured Web interface to access it from Internet and turned on HTTPS. Is it secure now?
Q: I have configured Web interface to use HTTPS, to access it from outside local network. How can I further harden security?
A: The first piece of advice is to upgrade to at least version 4 build 8879. Starting from that release, IPHost is distributed with OpenSSL library version 1.0.2 or higher, which addresses a number of known SSL vulnerabilities.
Important: if you can’t upgrade your IPHost installation immediately, set Web service directives as mentioned below in any case.
Web service SSL configuration directives
Below we list some configuration directives from IPHost Web service configuration directives (conf\httpd.conf in installation directory).
- SSLProtocol all -SSLv2 -SSLv3
- Turns off insecure SSL v2 and v3 protocols, thus preventing such attacks as POODLE
- SSLCipherSuite AES128+EECDH:AES128+EDH
- Instructs server to use only strong ciphers families (explicitly listed)
- SSLCompression off
- Turns off TLS compression, thus preventing so called CRIME attack
- SSLHonorCipherOrder on
- Gives server priority over order in which try different ciphers (to prevent choosing weaker cipher), part of measures to prevent so called BEAST attack
Further recommended enhancements are listed on Cipherli.st, in Apache section. We recommend studying the security-related sources and apply the rest of the mentioned settings, to further harden security and prevent majority of possible attacks against your secure Web interface.
We recommend to assign your HTTPS-enabled IPHost Web interface a domain name and check it against SSL Labs Test. If you receive security grade A or higher, your site is at the moment free of known SSL security problems.
Note: if you are running any other services mentioned on Cipherli.st, we strongly advise to heed the recommendations and adjust your configurations correspondingly, to further reduce security risks.