loading...

CentOS 7 – Securing Apache and FTP with OpenSSL

How to enable Remote Desktop on Windows Server 2019

Most services provided around the world are very attractive to hackers to attack and steal valuable information or to block its activity. In this section we are going to present a solution that helps secure two of the most commonly used services ( HTTPFTP). This solution is OpenSSL as an open source toolkit implementing the
Secure Sockets Layer ( SSL) and Transport Layer Security ( TLS) protocols as well as a robust cryptography library.

We will start with the implementation of OpenSSL for FTP file transfer to make it more secure. First, we need to ensure OpenSSL is installed on our system:


$ sudo yum install openssl

Then we start configuring the service to work with our FTP server VSFTPD. So we need to create an SSL certificate to use with TLS since it the latest most secure technology created. To do so we need to create a folder to store the files to be generated using SSL:


$ sudo mkdir /etc/ssl/private

Then we create the certificate with the keys:


$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem  -sha256

We need to fill in the details required during the execution of the command:

  • openssl: The basic SSL command to manage SSL certificates and keys
  • req –x509: To specify the public key infrastructure standards for SSL and TLS
  • -node: To tell OpenSSL to skip the passphrase security option
  • -days 365: To set the time of the validity of this certificate
  • -newkey rsa:1024: To create a new RSA key 1024 bits long
  • -keyout: To tell OpenSSL where to generate the private key file
  • -out: To tell OpenSSL where to generate the certificate file

Then we add the SSL details to our FTP server main configuration file:


$ sudo nano /etc/vsftpd/vsftpd.conf

We specify the location of the certificate and the key files:


rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem

Then we enable the use of SSL:


ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES

Then we restrict the connections to TLS:


ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

Then we add some optional configuration to reinforce the site security:


require_ssl_reuse=NO
ssl_ciphers=HIGH

Then we restart the FTP service to enable the change:


$ sudo systemctl restart vsftpd

Then we can test it via an FTP client (Filezilla) that has the capacity to connect via FTPS to see that the connection/transfer is now secured.

We now move on to the second part of this section where we are going to secure our web server Apache. We will be installing the OpenSSL module for Apache then we will configure it to secure Apache.

First, we need to make sure that Apache is successfully installed and the same thing can also be started for OpenSSL. Then we can start the installation of the module Mod_ssl:


$ sudo yum install mod_ssl

After installing it, we move to the configuration part. We need to create a folder in which we are going to store our keys and certificate files:


$ sudo mkdir /etc/httpd/ssl

Then we create our keys and certificates using OpenSSL:


$ sudo sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/httpd/ssl/apache.key -out /etc/httpd/ssl/apache.crt –sha256

We need to fill in all the required details to finish the files’ creation.

Note

The SSL key in Apache must be without password less to not cause a manual reconfiguration every time the server restart.

After creating all our files, we need to set up a virtual host to use with the new certificate. To do so we need to start by editing Apache’s SSL configuration file:


$ sudo nano /etc/httpd/conf.d/ssl.conf

We need to find the section that begins with <VirtualHost _default_:443>, to make some changes to it to make sure that the SSL certificate is correctly set.

First, we need to uncomment the DocumentRoot line and change the location to the desired site that we need to secure:


DocumentRoot "/var/www/packt.co.uk/home"

We do the same thing for the line ServerName and we need to change the domain to the desired one:


ServerName packt.co.uk:443

And finally, we need to find the SSLCertificateFile and the SSLCertificateKeyFile lines and change them to point to where we have created the SSL certificate and key:


SSLCertificateFile /etc/httpd/ssl/apache.crt
SSLCertificateKeyFile /etc/httpd/ssl/apache.key
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5

Then we save the file and restart Apache to enable the change:


$ sudo systemctl restart httpd

To test this configuration, we need to use a web browser of a client machine and type in https://www.packtpub.com/
uk. Then accept the certificate and access the site.

Comments are closed.

loading...