Vulnerable for BEAST attack?

KGK · May 11, 2017, 5:17pm

Put my site through a SSL checker and it came with a message the server is vulnerable for a BEAST attack, googled it and it states:
Make sure you have the TLSv1.2 protocol enabled on your server. Disable the RC4, MD5, and DES algorithms. Contact your web server vendor for assistance

Is this really important because I have a unmanaged server to keep the cost low, so far it is all going pretty good but I got no clue how to enable and disable all of that.

Osiris · May 11, 2017, 6:52pm

Test your server at https://dev.ssllabs.com/ssltest/analyze.html

It will also tell you vulnerabilities like BEAST and give you links to information about it.

schoen · May 11, 2017, 7:29pm

@KGK, in addition to the test that @Osiris mentions, most people can potentially benefit from

https://mozilla.github.io/server-side-tls/ssl-config-generator/

This is a tool that suggests crypto configurations to put into your web server configuration files, depending on what web server software you’re using and which clients you expect to need to support. If you use the configurations that they offer, your users should be more secure against a variety of cryptographic attacks.

Certbot does this for people using the Apache or Nginx installers, though not all Certbot users are using these installers (even if they have Apache or Nginx).

KGK · May 12, 2017, 8:39am

Thank you for your answer.

That link doesn’t say much for me, for my IP4 it gives grade A
Nr2 is IP6? it says: Unable to connect to the server

The only warning I have is: Inconsistent server configuration

Now I have fail2ban installed so maybe that is the reason but I don’t know, server configuration etc is not my specialty and I’m learning as I go

KGK · May 12, 2017, 8:55am

Thank you for you answer, you Dutch BTW?

I’m the only client, I host my own site on a linux OpenVZ with Centos 7 core and Plesk.

As you seem to have knowledge about servers/linux etc, my current apache version is 2.4.6, is it needed to upgrade? and as for the SSL Configuration Generator, any guide how to add that as I’m such a linux noob

schoen · May 12, 2017, 11:39pm

Nope, my family name is originally German "schön" rather than Dutch "schoen".

The configuration generator is based on the idea that you would edit your own Apache configuration files within /etc/apache2 using a text editor. There may be sections of those files that set cryptographic options, and you can potentially then replace those sections with the Mozilla recommendations.

system · June 11, 2017, 11:52pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.