Vulnerability Remediations

SSL Version 2 and 3 Protocol Detection

Solution

Disabling SSL 2.0

Windows
Linux

Disabling SSL 3.0

Windows
Linux

Crypto

SSL/TLS Hardening

SSH

RHEL-based Systems (CentOS / Fedora / Rocky Linux / Oracle Linux / Alma Linux etc.)

SSH Server CBC Mode Ciphers Enabled / CIS 1.6.3 Ensure system wide crypto policy disables cbc for ssh

Create or edit a file in /etc/crypto-policies/policies/modules/NO-CBC.pmod and add or modify one of the the following lines:

cipher@SSH = -*-CBC # Disables the CBC cipher for SSH

-OR-

cipher = -*-CBC # Disables the CBC cipher

Run the following command to update the system-wide cryptographic policy

update-crypto-policies --set DEFAULT:NO-CBC

Run the following command to reboot the system to make your cryptographic settings effective for already running services and applications:

reboot

SSH Weak Key Exchange Algorithms Enabled / CIS 1.6.2 Ensure system wide crypto policy disables sha1 hash and signature support

Create or edit a file in /etc/crypto-policies/policies/modules/NO-SHA1.pmod and add or modify the following lines:

hash = -SHA1
sign = -*-SHA1
sha1_in_certs = 0

Run the following command to update the system-wide cryptographic policy

update-crypto-policies --set DEFAULT:NO-SHA1

Run the following command to reboot the system to make your cryptographic settings effective for already running services and applications:

reboot

CIS 1.6.4 Ensure system wide crypto policy disables macs less than 128 bits

Create or edit a file in /etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod and add or modify the following lines:

mac = -*-64* # Disables weak macs

Run the following command to update the system-wide cryptographic policy

update-crypto-policies --set DEFAULT:NO-WEAKMAC

Run the following command to reboot the system to make your cryptographic settings effective for already running services and applications:

reboot

Checking SSL/TLS Protocols and Ciphers

nmap -sV -p <port> --script ssl-enum-ciphers <ip>

Ciphers

HTTP Response Headers

Security Headers
- Content Security Policy
- HTTP Strict Transport Security
- X-Content-Type-Options
- X-Frame-Options
- X-Xss-Protection

Remote Desktop Protocol

Certificates

Creating Certificates

Name		Name	Last commit message	Last commit date
Latest commit History 92 Commits
cert		cert
img		img
rdp		rdp
security-headers		security-headers
ssl-tls		ssl-tls
README.md		README.md

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Vulnerability Remediations

SSL Version 2 and 3 Protocol Detection

Solution

Disabling SSL 2.0

Disabling SSL 3.0

Crypto

SSL/TLS Hardening

SSH

RHEL-based Systems (CentOS / Fedora / Rocky Linux / Oracle Linux / Alma Linux etc.)

SSH Server CBC Mode Ciphers Enabled / CIS 1.6.3 Ensure system wide crypto policy disables cbc for ssh

SSH Weak Key Exchange Algorithms Enabled / CIS 1.6.2 Ensure system wide crypto policy disables sha1 hash and signature support

CIS 1.6.4 Ensure system wide crypto policy disables macs less than 128 bits

Checking SSL/TLS Protocols and Ciphers

Ciphers

HTTP Response Headers

Remote Desktop Protocol

Certificates

About

Releases

Packages

15U12U/vulnerability-remediation

Folders and files

Latest commit

History

Repository files navigation

Vulnerability Remediations

SSL Version 2 and 3 Protocol Detection

Solution

Disabling SSL 2.0

Disabling SSL 3.0

Crypto

SSL/TLS Hardening

SSH

RHEL-based Systems (CentOS / Fedora / Rocky Linux / Oracle Linux / Alma Linux etc.)

SSH Server CBC Mode Ciphers Enabled / CIS 1.6.3 Ensure system wide crypto policy disables cbc for ssh

SSH Weak Key Exchange Algorithms Enabled / CIS 1.6.2 Ensure system wide crypto policy disables sha1 hash and signature support

CIS 1.6.4 Ensure system wide crypto policy disables macs less than 128 bits

Checking SSL/TLS Protocols and Ciphers

Ciphers

HTTP Response Headers

Remote Desktop Protocol

Certificates

About

Resources

Stars

Watchers

Forks

Releases

Packages 0

Packages