Posts Tagged ‘ CentOS ’
如何解決 TLS/SSL 使用了不安全的加密演演算法: ARCFOUR、CBC、HMAC-MD5、HMAC-RIPEMD160
弱點掃瞄
弱點: TLS Service Supports Weak Cipher Suite
Transport Layer Security (TLS), the successor to Secure Socket Layer (SSL), is a network protocol that encrypt communications between TLS servers (e.g., websites) and TLS clients (e.g., web browsers). Every communication is secured by a cipher suite: a combination of several algorithms working in concert. Cryptographic algorithms do not have a defined lifetime, but academics, researchers, and nation states are constantly evaluating them for weaknesses. Consensus on which algorithms are untrustworthy evolves over time, and if a communication is protected with a weak cipher suite then that communication can be altered or decrypted.
- Severity: Medium
- Risk: A TLS service was observed supporting weak cipher suites.
- Recommendation: Disable the cipher suites listed in the evidence column of the measurement.
如何解決 SSH Server 使用了不安全的加密演演算法: ARCFOUR、CBC、HMAC-MD5、HMAC-RIPEMD160
弱點掃瞄
弱點 1: SSH Supports Weak Cipher
The SSH server is configured to support either Arcfour or Cipher Block Chaining (CBC) mode cipher algorithms. SSH can be configured to use Counter (CTR) mode encryption instead of CBC. The use of Arcfour algorithms should be disabled.
- Severity: Medium
- Risk: A weak cipher has been detected.
- Recommendation: Configure the SSH server to disable Arcfour and CBC ciphers.
弱點 2: SSH Supports Weak MAC
The SSH server is configured to support MD5 algorithm. The cryptographic strength depends upon the size of the key and algorithm that is used. A Modern MAC algorithms such as SHA1 or SHA2 should be used instead.
- Severity: Medium
- Risk: A weak Message Authentication Code (MAC) algorithm has been detected.
- Recommendation: Configure the SSH server to disable the use of MD5.
如何解決 Web/Mail Server 使用了不安全的 SSL 通訊協定
弱點掃瞄
弱點: SSL/TLS Service Supports Weak Protocol
Transport Layer Security (TLS), the successor to Secure Socket Layer (SSL), is a network protocol that encrypt communications between TLS servers (e.g., websites) and TLS clients (e.g., web browsers). Every communication is secured by a cipher suite: a combination of several algorithms working in concert. Networking protocols do not have a defined lifetime, but academics, researchers, and nation states are constantly evaluating them for weaknesses. Consensus on which protocols are untrustworthy evolves over time, and if communications are sent with a weak protocol then that communication can be altered or decrypted.
- Severity: High
- Risk: A TLS service was observed supporting weak protocols.
- Recommendation: Disable the protocols listed in the evidence column of the measurement.
如何自動將網站的 http:// 網址轉址為 https://
弱點掃瞄
弱點: Site does not enforce HTTPS
The site responds to HTTP requests without ultimately redirecting the browser to a secure version of the page. Since the site allows plaintext traffic, a man-in-the-middle attacker is able to read and modify any information passed between the site and the user. There are a variety of situations in which an attacker can intercept plaintext traffic in a man-in-the-middle position, including but not limited to:
- Open Wi-Fi Hotspots
- WPA/WPA2 encrypted hot-spots where the attacker connected before the victim
- Malicious Wi-Fi access points
- Compromised switches and routers
- ARP poisoning on the same wired network
It's important to remember that in many of the above situations, an attacker can not only read traffic, but also actively modify the traffic. Even if a site that does not contain sensitive information, an attacker can still inject malicious content to a user』s browser.
- Severity: High
- Risk: Site does not enforce the use of HTTPS encryption, leaving the user vulnerable to man-in-the-middle attackers (who can falsify data and inject malicious code).
- Recommendation: Any site served to a user (possibly at the end of a redirect chain) should be served over HTTPS.
CentOS 5/6 改為可用的 yum 套件庫來源 (2022)
若執行 yum 出現:
http://mirror.centos.org/centos/6/os/x86_64/repodata/repomd.xml: [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 404 Not Found"
Trying other mirror.
To address this issue please refer to the below knowledge base article
表示系統預設的 yum 套件庫可能已經不存在!
我們可以在 vault.centos.org 找到可用的套件庫來源:
CentOS 5/6 快速安裝 VPN Server (PPTP)
「VPN」是一種常用於中、大型企業或團體與團體間的私人網路的通訊方法。藉由 VPN 所建立的加密通道,可以讓你從外部存取公司內部的資源,或透過連線到 VPN 的 Server 當跳板,去存取被限制的外部資源 (俗稱「翻牆」)。
在使用 VPN 之前,你得先有一台提供服務的 VPN Server,現在滿多人會去租用國外的 VPS 當 Server,要架站兼翻牆,Linode 是不錯的選擇。
以下把握幾個重點即可快速完成 Linux 的 PPTP 的 VPN Server 架設:
- PPP - 點對點協定 (Point-to-Point Protocol)
- PPTP - 點對點通道協定 (Point-to-Point Tunneling Protocol)
- iptables - 設定封包轉發規則
安裝步驟
1. 判斷 ppp 是否可用:
$ cat /dev/ppp
cat: /dev/ppp: No such device or address
如果出現跟上面一樣的訊息「No such device or address」,那不用擔心,這表示 ppp 是可用的,可以正常架設 pptp。
如果出現的是「Permission denied」,表示 ppp 是關閉的,下面的步驟就可以不用再看了。
Read more
如何解決 yum 安裝 glibc-headers 失敗的問題
最近我用 yum 在安裝套件時,突然出現這些錯誤訊息:
---> Package glibc-headers.x86_64 0:2.12-1.107.el6 will be installed
--> Processing Dependency: kernel-headers >= 2.2.1 for package: glibc-headers-2.12-1.107.el6.x86_64
--> Processing Dependency: kernel-headers for package: glibc-headers-2.12-1.107.el6.x86_64
--> Finished Dependency Resolution
Error: Package: glibc-headers-2.12-1.107.el6.x86_64 (base)
Requires: kernel-headers >= 2.2.1
Error: Package: glibc-headers-2.12-1.107.el6.x86_64 (base)
Requires: kernel-headers
You could try using --skip-broken to work around the problem
You could try running: rpm -Va --nofiles --nodigest
錯誤訊息有提到跟 "kernel" 有關!!
原來是我當初為了不讓 yum 自動更新 Kernel,所以我在 "/etc/yum.conf" 加了這一行:
exclude=kernel*
把這一行刪除就好了。之後如果遇到有關 Kernel 的失敗狀況,應該都是這個問題。
INFORMATION
我們解決了什麼問題?我們創造了什麼價值?
近期迴響