Securing NGINX From The Logjam Attack on CentOS

Well, there’s another SSL vulnerability out in the wild. Technically it isn’t really a vulnerability, its just a “hole” inside of the protocol that we rely on during the depreciation of SSL3 and the phasing of SSL2.

Unfortunately, most modern web-servers are vulnerable to this attack because the protocol affected is widely used.

In this guide, I’ll be covering what to do to secure your server on CentOS 6 and 7.

How to secure your server #

There are two ways to secure your server. In this tutorial, I will only be covering the first option.

  1. Generate a unique key group.
  2. Disable SSL export keys.

What you’ll need to do #

Check whether or not your server is vulnerable by using the Qualys SSL checker. If your server is vulnerable, there will be a message at the top of the page.

Once you’ve confirmed that your server is vulnerable, enter your NGINX installation directory.

cd /etc/nginx/
mkdir keygroup
cd keygroup

Run the following command to generate a key group.

openssl dhparam -out dhsecure.pem 2048

Add the new key group to your NGINX configuration.

cd /etc/nginx/
vi .conf

Continuing on, we must add the ssl_dhparam ... line of code that’s seen below inside of every SSL server block. Update all of your SSL server blocks accordingly.

server {
listen 443 ssl;
...
location / {
...
ssl_dhparam /etc/nginx/keygroup/dhsecure.pem
...
}

Exit the configuration and reload NGINX.

service nginx reload

Test your server again with the SSL checker. Your server will no longer be vulnerable to the attack.

Powered by BetterDocs