Generating a Unique DH (Diffie-Hellman) Group

Due to a recent D(iffie)H(ellman) attack possibility called LogJam on lower paramter lengths like 512 bit and maybe, in short future, 768 bit, here the command to create a real strong parameter of 4096 bit:

openssl dhparam -out dhparams.pem 4096

 

Please be aware that this key creation can take up to 20 minutes and evern longer depending on your CPU.

Most software (apache, postfix, sendmail, dovecot etc) have config parameters where you can set the Diffie-Hellman group file. The DH algorithm is used to create secure keys when using connections over SSL/TLS.

More information about configuring different servers can be found here.

SFTP with ProFTPd on CentOS 6

OpenSSH is not the only one capable of doing file transfers over a secure line called SFTP (ShellFTP/SecureFTP/SSHFTP). ProFTPd can also do it using mod_sftp and the support has been added on version 1.3.3. Why choose SFTP over FTPS? Simple, SFTP transfers all data over 1 single port!!! This means you do not have to fiddle around with needed passive ports on your firewall setup.

Now here’s to install and run a separate SFTP server:

1. Download and install the EPEL repo (EPEL)

2. Install proftpd with:

yum install proftpd

3. Then edit your proftpd config file and add following content somewhere in the config file (somewhere at the end i suppose should be best):

LoadModule mod_sftp.c
<IfModule mod_sftp.c>
        SFTPEngine On
        SFTPHostKey /etc/ssh/ssh_host_rsa_key
        SFTPLog /var/log/proftpd/sftp.log
        SFTPOptions     IgnoreSFTPUploadPerms
        SFTPClientMatch ".*" channelWindowSize 256MB
SFTPCompression delayed </IfModule>

3b. (Optional) Should you want to allow login for users with invalid shells (e.g. /bin/false or /sbin/nologin), do the following:

RequireValidShell   off
# AuthOrder        mod_auth_pam.c* mod_auth_unix.c

4. start the proftpd server

service proftpd start

For more infos about the sftp module visit the manual page