Making Web interface secure
Q: I have configured Web interface to use HTTPS, to access it from outside local network. How can I further harden security?
A: The first piece of advice is to upgrade to the latest IPHost version (v5.1 build 14047 at the moment of writing this text). You can look at release notes list to make sure you are using the latest version that includes security updates to all its components.
Important: if you can’t upgrade your IPHost installation immediately, set Web service directives as mentioned below in any case.
Web service SSL configuration directives
Below we list some configuration directives from IPHost Web service HTTPS-related configuration directives (file conf\ssl_virtualhost_extra.conf in installation directory). The Web server component version used by the latest IPHost release is 2.4.29.
- SSLProtocol all -SSLv2 -SSLv3
- Turns off insecure SSL v2 and v3 protocols, thus preventing such attacks as POODLE
- SSLCipherSuite AES128+EECDH:AES128+EDH
- Instructs server to use only strong ciphers families (explicitly listed)
- SSLCompression off
- Turns off TLS compression, thus preventing so called CRIME attack
- SSLHonorCipherOrder on
- Gives server priority over order in which try different ciphers (to prevent choosing weaker cipher), part of measures to prevent so called BEAST attack
Further recommended enhancements are listed on Cipherli.st, in Apache section. We recommend studying the security-related sources and apply the rest of the mentioned settings, to further harden security and prevent majority of possible attacks against your secure Web interface.
We recommend assigning your HTTPS-enabled IPHost Web interface a domain name and check it against SSL Labs Test. If you receive security grade A or higher, your site is, at the moment, free of known SSL security problems.
Note: if you are running any other services mentioned on Cipherli.st, we strongly advise to heed the recommendations and adjust your configurations correspondingly, to further reduce security risks.
Important note: security-related settings may change at any moment; you are recommended to look at the above mentioned sites and apply the recommended security settings, where applicable, as soon as possible.