Security Scan found Weak and Medium strength ciphers port 389&636

After a recent security scan on one of our Apple Servers running 10.9.5 (Mavericks) it has reported weak and medium strength ciphers on port 389&636 and also that SSLv2 and SSLv3 is enabled. The Server is running Profile Manager and therefore also Open Directory although we are not really using Open Directory for authentication as we have AD within the organisation.
My question is how can I modify Open Directory to only use HIGH ciphers and not MEDIUM or LOW? I have found the httpd-ssl.conf file but that is only listening on port 443. I have also found the slapd.conf but can't see where I would make the change.
Any help would be greatly appreciated.
Thanks

So would you believe it I've managed to get it working. I wanted to see if Yosemite suffered from the same 'issues' that Mavericks does with SSLv2 & SSLv3 support. Also the weak ciphers bsing used. Well they scannex that server and found exactly the same 'issues' as before. So I started working on it this morning editing slapd.conf, slapd.conf.default, slapd_macosxserver.conf and apache-ssl.conf it might sound overkill but I thought what the ****. I added the following lines to all conf files:
SSLProtocol ALL -SSLv2
SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL
TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
and and it worked. Passed the scan with flying colours however might need to mod SLLv3 to keep theM happy.
I need to replicate this on a Mavericks Server so hope the jist is the same.
thanks for the advice Linc.

Similar Messages

  • I recieveced a pop up from firefox stating mozilla security has found virsues and I need to protect my computer by starting a scan. Is this real or spam?

    http://radersea.co.cc/index.php?Q+XhEtS7bRxGVHqmM3tJQin2Ex74TjduoWnyqgfHpKvVMy9uhP0pS1EYq1DgGlvHuU2tYSogGew2dpp2qMTPzg
    This is where it comes from

    That pop-up wasn't from Mozilla, that was a fake website. You didn't download or install anything from there, did you?

  • Failing PCI Compliance Scan - SSL Weak...

    Hello,
    I currently use the WRVS4400n v2 (latest update) for my small business. I store and transmit data that contains credit card information and need to be PCI compliant. Regardless of which settings I change on the router, like turning off remote management, I keep failing the scan. ControlScan uses Nessus and the results are below (2 vulnerabilities).
    I did some research and spent some time with Cisco Sales Chat and they recommended a ASA5500 only to realize that it too had the same vulnerabilities. I did more research and it seemed that the SA520w (I need wireless) would do it but I found a thread on this forum saying that a client who had the SA520w did not pass the scan failed due to SSL vulerability (need v3+ ?). The thread is at https://supportforums.cisco.com/thread./2060512
    Question: What router/appliance should I use to be PCI compliant? Three has to be something, we're talking, this is Cisco.
    Thank you in advance for your help,
    Christophe
    Threat ID: 126928
    Details:
    IP Address: XX.XXX.X.XXX
    Host: XX.XXX.X.XXX
    Path:
    THREAT REFERENCE
    Summary:
    SSL Weak Cipher Suites Supported
    Risk: High (3)
    Type: Nessus
    Port: 60443
    Protocol: TCP
    Threat ID: 126928
    Information From Target:
    Here is the list of weak SSL ciphers supported by the remote server :
    Low Strength Ciphers (< 56-bit key)
    SSLv2
    EXP-RC2-CBC-MD5            Kx=RSA(512)   Au=RSA     Enc=RC2(40)      Mac=MD5    export    
    EXP-RC4-MD5                Kx=RSA(512)   Au=RSA     Enc=RC4(40)      Mac=MD5    export    
    The fields above are :
    {OpenSSL ciphername}
    Kx={key exchange}
    Au={authentication}
    Enc={symmetric encryption method}
    Mac={message authentication code}
    {export flag}
    Solution:
    Reconfigure the affected application if possible to avoid use of weak
    ciphers.Details:
    The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all.
    Threat ID: 142873
    Details:
    IP Address: XX.XXX.X.XXX
    Host: XX.XXX.X.XXX
    Path:
    THREAT REFERENCE
    Summary:
    SSL Medium Strength Cipher Suites Supported
    Risk: High (3)
    Type: Nessus
    Port: 60443
    Protocol: TCP
    Threat ID: 142873
    Information From Target:
    Here are the medium strength SSL ciphers supported by the remote server :
    Medium Strength Ciphers (>= 56-bit and < 112-bit key)
    SSLv2
    DES-CBC-MD5                Kx=RSA        Au=RSA     Enc=DES(56)      Mac=MD5   
    SSLv3
    DES-CBC-SHA                Kx=RSA        Au=RSA     Enc=DES(56)      Mac=SHA1  
    TLSv1
    DES-CBC-SHA                Kx=RSA        Au=RSA     Enc=DES(56)      Mac=SHA1  
    The fields above are :
    {OpenSSL ciphername}
    Kx={key exchange}
    Au={authentication}
    Enc={symmetric encryption method}
    Mac={message authentication code}
    {export flag}
    Solution:
    Reconfigure the affected application if possible to avoid use of
    medium strength ciphers.Details:
    The remote host  supports the use of SSL ciphers that offer medium strength encryption,  which we currently regard as those with key  lengths at least 56 bits  and less than 112 bits.

    Chris,
    As i understand right now none of the Small Business router are PCI compliance ever since PCI 3.0 was released. How you overcome this; you'll need to forward any ports you are failing on to a ghost IP.. Ghost ip (any ip address that isn 't being used) If you are using those ports , then you will lose that service as the router isn't PCI 3.0 compliant.
    Jason
    I do believe the ASA5505 are PCI 3.0 Compliant.

  • SSL Medium Strength Cipher Suites Supported vulnerability

    Kind of an odd thing.  We just had a vulnerability scan and a 2960 got pinged for supporting medium strength SSL cipher suites.  I say strange cause I have 3 others that have the same IOS image and they didn't get pinged.  Swap out the management IP address and they are all the same.  They are all running 12.2(52)SE C2960-LANBASEK9-M, with a 768 bit keys.  Here is the text of the vulnerability :
    Synopsis : The remote service supports the use of medium strength SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits.
    Reconfigure the affected application if possible to avoid use of medium strength ciphers. / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Here are the medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
    Can someone point me in the right direction on how to re-configure the switch to pass this test?
    Thanks
    Poirot

    I believe the alert there is because you are using a 768 key which was broken recently (Jan 2010 a paper was published on it with results from efforts that took 4 years to break 768 keys). 768bit RSA keys is not considered secure enough any more.
    I would suggest you to configure keys of 1024 on these switches and try again.
    I hope it helps.
    PK

  • TS3212 i am trying to download itunes and it shows it downloads until it gets to 99% and then it says it is running a security scan and then says it couldnt be downloaded?

    I am trying to donload itunes to my computer and it shows it downloads and then it says running security scan and it says it cannot be downloaded....

    Hi there krashman,
    I would recommend taking a look at the troubleshooting steps found in the article below.
    Trouble installing iTunes or QuickTime for Windows
    http://support.apple.com/kb/HT1926
    -Griff W.

  • I opened the attachment on a malicious email in error on my IPad and have been informed by the genuine company that it will download malware software. Is this possible on my IPad or is there a way of running a security scan to see if it has been infected?

    I received an email that I now know to be malicious and inadvertently opened up the attachment on my IPad that I've been informed will download malware or a virus. Can my IPad be infected this way or does anyone know if there is a way of running a security scan to check if there is a problem? I do have the most up to date IOS software installed.

    There is no anti-malware for iOS, at least none that actually does anything useful. The odds of getting any malware infection via an email attachment on an iOS device is quite low - practically non-existent. Unless you are seeing any issues, there isn't much to do, other than deleting the email and being more cautious in the future.

  • 802.1x and Security scanning

    Hello,
    Is it possible for our security team to security scan all hosts on the network if they are using 802.1x authentication? I am trying to ensure that we can meet security scanning requirements and still use the 802.1x port-based authentication function. If not the other alternative is to use port security for end hosts. Any help/advice would be greatly appreciated.
    Thanks

    If you are using open mode, you could put in a permit rule in the pre-auth acl on the switch port, that allows all traffic going to your scanners ip adress. Traffic from the scanner to the device on the switch port is not restricted normally.
     

  • Why does Adobe Reader and Adobe Flash player keep installing McaFee Security Scan on my system?

    Whenever I install the Adobe Flash player or Adobe Reader on my system, it downloads and installs McAfee Security Scan Plus at the same time. It does not ask if I want it or not, it instead forces it on me, so I have to then unistall it. I've unistalled it 3 or 4 times in the last week. I DO NOT WANT MCAFEE PRODUCTS on my computer!
    Please make this an option, give the users a choice so we don't have to keep removing the stupid thing.

    Did you 'Uncheck" the relevant box pointed by the red arrow ? If not you accepted the installation with McAfee.

  • What's listening on port 454 and 455 in Azure? Warning flagged by security scan

    We are about to go live with an Azure Website and, as a precaution, did a security scan on the IP address that has been allocated to us.
    There were a number of low severity warnings listed which we're not too worried about, however the scan did flag that something appears to be listening on port 454 and 455, and supports TLS1.0.
    RESULTS:
    Available non CBC cipher Server's choice SSL version
    RC4-SHA DES-CBC3-SHA TLSv1
    Does anyone know what this is? I can't find it obviously listed anywhere. If it's not necessary, can I switch it off? And if it is necessary, can I set it to require a more secure protocol?
    We're hosted in the "Australia East" datacentre, in case that's relevant.
    Crossposted to Stack Overflow here:
    http://stackoverflow.com/questions/27807505/whats-listening-on-port-454-and-455-in-azure-warning-flagged-by-security-scan

    Hello Michael,
    These ports are used for internal communication in Azure Websites infrastructure. They are not site specific and you cannot turn them off. It is safe to ignore them.
    Thanks,
    Petr

  • McAfee Security Scan Plus and Flash Player installer

    Hi.
    I went to update Flash Player earlier today by downloading the web installer from the website, but by mistake didn't uncheck the option to install McAfee Security Scan Plus with Flash. However, after comparing the two files that are downloaded when the option is/isn't unchecked, I noticed that the MD5/CRC hashes for both files are exactly the same. I opened the file, and noticed that the installer was downloading both Security Scan Plus and Flash. I canceled the installation which was fine, but I have several questions.
    How does the installer know if the user wants to install Security Scan if both files are the same?
    Is Security Scan installed as soon as the download is complete (as shown in the installer), or only after Flash finisheds downloading as well?
    Thanks.

    Bundling other software in the installer is a sign of a DYING company. Now I have to do more work and uninstall this stuff. Yeah, you got me. "Angry" is not strong enough. -Foffu.

  • ACE connection limit and remote TCP security scans

    We are currently running remote TCP security scans on our networks and are running into a major problem where when the scans are taking place the ACE connection resource usage sky rockets and easily reaches the maximum 4 million connections.  This means that anyone can run a simple TCP scan and take down our ACE by maxing the connection limit.  We have the following parameter-map applied to all of our policies but it does not help to clear the connection count on the ACE in a reasonable amount of time.  parameter-map type connection CONNECTION_TIMEOUT   set timeout inactivity 300   set tcp timeout half-closed 60  I should note that we do have normalization turned off because it causes way more problems then it's worth (no resolution with TAC).  Does anyone have an tips on how to accommodate security scan's on networks behind the ACE while not saturating the connection count limit?

    For vips, this particular context only has one class C applied to a class-map.  Not all IP's are in use but regardless the ACE creates connections for those as well.  I've set the timeout inactivity to 120 seconds and I still see connections from the remote scanning host idling well over 45mins for connections destined to the vip's.  Is turning on normalization my only option?  I know there are others who have turned off normalization due to performance and connectivity issues so there must be other ways around this.  Thanks for your help.

  • When I downloaded Firefox for windows, the security scan wouldnt allow it. I operate on windows 7 and was downloading mozzila firefox8

    When I downloaded Firefox for windows, the security scan wouldnt allow it. I operate on windows 7 and was downloading mozzila firefox8

    Hi annarepublic78,
    As per the above mentioned error, your Win CS6 download was not complete, either it was in process or was interrupted. This is the only reason you see the MasterCollection_CS6_LS16.7z.crdownload. Here .crdownload means the download is in process.
    Please try to download it again on the Desktop and please make sure that the download completes successfully(without the .crdownload extension).
    Regards,
    Romit SInha

  • SA540 FAILS PCIDSS security scan

    Hi
    We have recently installed an SA540 to replace an aging PIX firewall. The new firewall has failed a routine security scan for5 PCIDSS compliance. The problem appears to realate to the HTTPS service on the firewall which we need for SSL VPNs and remote management.
    The reasons provided are:-
    1. The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years .
    2. The remote service supports the use of weak SSL ciphers
    3. The remote service supports the use of medium strength SSL ciphers
    4. The remote service supports the use of anonymous SSL ciphers – presumably this can be fixed by purchasing an SSL certificate
    Can you disable SSL2.0 and the weaker ciphers?

    Hi Keith,
    Can you please let us know what firmware version on SA500 you are using?
    Thanks,
    Nitin

  • Server 2008R2 - SSL Certificate Weak Public Key Strength

    Hello -
    I'm using a Windows 2008R2 server and am working on locking the system down. We use the BeyondTrust Retina Network Security Scanner, the scanner returns two results that I'm having trouble solving.
    The first is finding is:
    'SSL Certificate Weak Public Key Strength'
    "Retina has detected that the certificate on the target supports a  cryptographically weak public key strength. An attacker may be able to leverage weaknesses in the public key strength to gain access to sensitive information."
    "Replace the current certificate with one using a high-grade public key strength of 2048 bits of higher"
    **Does anyone have any ideas how to find all the certificates loaded on the machine that aren't at 2048 bits or higher, the system is a standalone machine without internet access**
    The second finding is:
    'SSL Certificate Self-Signed'
    "Retina has detected that the certificate on target is self-signed. Self-signed certificates can provide underlying cryptographic functionality, but cannot guarantee the origin of the certificate is trusted."
    "Verify the certificate is trusted to ensure the confidentiality and integrity of prior encrypted communications. Replace the current self-signed certificate with one signed by a trusted root certificate authority."
    **Anyone have any ideas how to find 'self-signed' certificates? I've tried searching through the certificates store on the local computer, but I can't seem to find a self-issued certificate, but Retina sure found some.**
    Any help would be greatly appreciated!!
    Thanks,
    Ryan

    A self signed certificate is a certificate which Subject attribute equals Issuer attribute. You can use below script to find selfsigned certificates which is selfsigned and public key is less than 2048 bits.
    Be aware that if you search in all possible certificate stores (including Trusted Root CA store) you will find a lot of self signed certificates. Please see my notes in powershell code.
    #Find self-signed certificate which keysize less than 2048. Uncomment one of the lines below
    #$myCerts = Get-Item Cert:\CurrentUser\My #search in Current User Store - Personal - this is the place to look in
    #$myCerts = Get-Item Cert:\LocalMachine\My #search in Local Machine Store - Personal - this is the place to look in
    #$myCerts = Get-Item Cert:\CurrentUser\* #search in Current User Store - this will bring a lot of cert list
    #$myCerts = Get-Item Cert:\LocalMachine\* #search in Local Machine Store - this will bring a lot of cert list
    $myCerts.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
    $myCertsList = Get-ChildItem $myCerts.PSPath
    $myCertsList | where {$_.Subject -like $_.Issuer -and $_.PublicKey.Key.KeySize -lt 2048} | select * #self-signed and less then 2048
    $myCerts.Close()
    Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.

  • Encryption Vulnerability Security SCAN DS

    I created DS instances. While running security scan for Encryption Vulnerability I found out that following ports are supporting weak SSL.
    port 636/tcp over SSL
    port 11163/tcp over SSL
    port 32772/tcp over SSL
    port 3999/tcp over SSL
    port 1636/tcp over SSL
    How to Disable ciphers which support cleartext communication. Or what is fix for this.
    Thanks
    Pramod

    Thanks Fede.
    I looked my dse.ldif file.
    It lloks like this ....
    dn: cn=encryption,cn=config
    objectClass: top
    objectClass: nsEncryptionConfig
    cn: encryption
    nsSSLSessionTimeout: 0
    nsSSLClientAuth: allowed
    nsSSLServerAuth: cert
    nsSSL2: off
    nsSSL3: on
    nsSSL3Ciphers: all
    nsKeyfile: alias/slapd-key3.db
    nsCertfile: alias/slapd-cert8.db
    numSubordinates: 1
    nsSSL2 is already off.
    Thanks
    Pramod

Maybe you are looking for

  • ERP6 upgrade, PREPARE error

    Hello! Have anyone seen this PREPARE error message before? During phase RUN_RSPTBFIL_PREP,  error message "2EETG011 Kein Upgrade aktiv". I can't find any SAP note about this specific problem. The source system is 4.6B, the target will be a non-unicod

  • Need to do a clean reinstall, but need to keep applications and documents

    I know that to do a clean reinstall of 10.6 you must first erase the hard drive using Disk Utility. I want the reinstall to be clear of all old settings, except that I need to carry over my applications and documents. Could I use Migration Assistant

  • Java.lang.NullPointerException  error in ESS Leave Request

    Hi,    I had configured ESS and i'am trying to apply Leave through Leave Request iview which is available through ESS,i had enterd data into the fields and i had defined Approver in back end system,Now when i click on review button it is throwing me

  • IE9 continuously ask to install Flashplayer

    Hello, whilst accessing some website (a.o. Yahoo.de) IE asks to install Flashpayer again and again. I have de-installed Flashplayer using the uninstaller from Adobe and re-installed. I am going crazy..... Windows 7 64 bit IE9 32 bit Flash version 11.

  • NEED URGENT HELP ON MY CAT-2950

    This machine is giving me hard time. It does not load an image at boot up. All it does is get me into ROMMON. I have tried to download a new image from a tftp server but everything is not working out. I have tried to set environment variables like IP


HashFlare