Highlighted
Absent Member.
Absent Member.
1034 views

GMS 2.1 - How to disable the web banner for CherryPy WSGI

Hi,

we are running GMS 2.1 on a SLES 10 SP1.
A security check performed by HP told us to harden several web servers.

For our GMS they told us to disable the web banner (1.) and that it is not recommended to use RC4 ciphers (2.) on the encrypted service.

Recommendation:

1. Web servers that are exposed to users should not reveal their exact type and version number as this will help an attacker refine the attack. Banners should be changed to reveal little, no or bogus information.
2. It is recommended that the use of RC4 ciphers is disabled on the encrypted service.


Unfortunately I'm not familiar with CherryPy and I could not find any help until now.

1. I've tried to change the "_cprequest.py" and restarted the server but my changes took no effect.
2. I couldn't find these settings anywhere. Under Apache I had to change it in "vhost-ssl.conf" but with CherryPy I cannot find any corresponding settings.

I hope anybody can give me advice what I have to change so that i can harden the server.

Best regards,

Rouven
Labels (1)
0 Likes
3 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Re: GMS 2.1 - How to disable the web banner for CherryPy WSGI

In article <rmoeller.6umdfz@no-mx.forums.novell.com>, Rmoeller wrote:
> we are running *GMS 2.1 on a SLES 10 SP1.*


Thats a rather old version of SLES, especially given the requirement of
GMS 2.1 being
SUSE Linux Enterprise Server (SLES) 11 (64-bit), plus Service Pack 3

Just getting GMS onto that supported host version will get you a step
in the correct direction.
It had been my understanding that GMS 2.1 was supposed to roll those
security updates in, so I have some digging to do to find out more.
I have a GMS to upgrade to 2.1 (on a SLES 11.3 vm) this weekend so I'll
have more later.

One way you can test it yourself if you are using the standard port 443
is to point the following tools at your gms
https://www.ssllabs.com/ssltest/
https://sslanalyzer.comodoca.com/
I like to 'print out' (to PDF) the results so that I can compare to any
changes I make. Yes the 2.01 ones look ugly on the box I've started
dealing with.



Andy of
http://KonecnyConsulting.ca in Toronto
Knowledge Partner
http://forums.novell.com/member.php/75037-konecnya
If you find a post helpful and are logged in the Web interface, please
show your appreciation by clicking on the star below. Thanks!

___
“i’ve sworn an oath of solitude til the blight is purged from these lands”
Andy of Konecny Consulting in Toronto
Knowledge Partner Profile
If you find a post helpful, click the Like button below. Thanks!
0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: GMS 2.1 - How to disable the web banner for CherryPy WSG

Hi Rouven,

Here is a TID on how to disable RC4 ciphers on GMS: https://www.novell.com/support/kb/doc.php?id=7016396

Note: I have reported the typo in the heading of this document.

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: GMS 2.1 - How to disable the web banner for CherryPy WSGI

In article <laurabuckley.6vp5qo@no-mx.forums.microfocus.com>,
Laurabuckley wrote:
> Here is a TID on how to disable RC4 ciphers on GMS:
> https://www.novell.com/support/kb/doc.php?id=7016396


And they didn't work for me as written. I added those lines to the
end, but then GMS fails to load. So make sure you keep a backup copy
of this file before trying. I suspect it is a positioning thing and
will test that logic at a quieter time.
I have reported this as well asking about the lack of any cyphers being
listed within those lines.


Andy of
http://KonecnyConsulting.ca in Toronto
Knowledge Partner
http://forums.novell.com/member.php/75037-konecnya
If you find a post helpful and are logged in the Web interface, please
show your appreciation by clicking on the star below. Thanks!

___
“i’ve sworn an oath of solitude til the blight is purged from these lands”
Andy of Konecny Consulting in Toronto
Knowledge Partner Profile
If you find a post helpful, click the Like button below. Thanks!
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.