Chasing the perfect security score

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
brashquido
Normal user
Normal user
Posts: 249
Joined: 2006-06-26 07:14
Location: Melbourne, Australia
Contact:

Chasing the perfect security score

Post by brashquido » 2020-04-17 14:26

Hi All,

Have been trying to tidy up the security side of things on my server of late and have become perhaps a little too obsessed with getting the "perfect score" for PCI-DSS, HIPAA and NIST. I've managed an A+ score with PCI-DSS compliance, however am falling short for HIPAA and NIST;

https://www.immuniweb.com/ssl/?id=H7ao2L22

The following checks are still outstanding for full compliance;

HIPAA
- OCSP Stapling

NIST
- OCSP Stapling
- Extended Master Secret extension for TLS vresions ≤ 1.2
- Key Share extension for TLS 1.3
- Supported Versions extension for TLS 1.3

Just wondering if anyone had managed to achieve full marks here, and if so if they'd be prepared to share what steps they took to achieve that? If it is just a matter of it can't be done, well I'm fine with that too knowing I've got it configured about as securely as I can. Thanks.
Dominic Ryan
astroroad.com.au

User avatar
SorenR
Senior user
Senior user
Posts: 3748
Joined: 2006-08-21 15:38
Location: Denmark

Re: Chasing the perfect security score

Post by SorenR » 2020-04-17 17:58

Failed on all accounts ... Probably due to my server banning all (12 servers) the immuniweb servers for being intrusive :mrgreen:
SørenR.

“Those who don't know history are doomed to repeat it.”
― Edmund Burke

brashquido
Normal user
Normal user
Posts: 249
Joined: 2006-06-26 07:14
Location: Melbourne, Australia
Contact:

Re: Chasing the perfect security score

Post by brashquido » 2020-04-18 05:20

Haha, yeah. I had to temporarily disable autoban while running the tests. Does that mean your servers are a level is security above PCI-DSS, HIPAA & NIST compliant if they can't be connected to to prove they aren't compliant 🤪
Dominic Ryan
astroroad.com.au

User avatar
jim.bus
Senior user
Senior user
Posts: 455
Joined: 2011-05-28 11:49
Location: US

Re: Chasing the perfect security score

Post by jim.bus » 2020-04-18 05:29

I couldn't resist this comment.

I loved both yours and SorenR's comments on the security compliance checking software.

User avatar
mattg
Moderator
Moderator
Posts: 21040
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Chasing the perfect security score

Post by mattg » 2020-04-19 18:14

I got an A+ all round last time I did that test, but today get the same as you


Supported versions is draft - https://tools.ietf.org/id/draft-ietf-tls-tls13-23.html
Keyshare is draft - https://tools.ietf.org/html/draft-bzwu- ... eyshare-01
Extended Master Secret extension for TLS is a proposed standard - https://tools.ietf.org/html/rfc7627


It seem to me that NIST is jumping the gun
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 3748
Joined: 2006-08-21 15:38
Location: Denmark

Re: Chasing the perfect security score

Post by SorenR » 2020-04-19 21:09

brashquido wrote:
2020-04-18 05:20
Haha, yeah. I had to temporarily disable autoban while running the tests. Does that mean your servers are a level is security above PCI-DSS, HIPAA & NIST compliant if they can't be connected to to prove they aren't compliant 🤪
I designed my IDS system to ban sender if no email is received after 4+ connect. The banning process is an autonomous process run every 60 seconds. Actually, I am thinking about reducing time to 30 seconds.

The thing is... How secure is a system you can't probe?

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.
SørenR.

“Those who don't know history are doomed to repeat it.”
― Edmund Burke

brashquido
Normal user
Normal user
Posts: 249
Joined: 2006-06-26 07:14
Location: Melbourne, Australia
Contact:

Re: Chasing the perfect security score

Post by brashquido » 2020-04-21 14:51

mattg wrote:
2020-04-19 18:14
I got an A+ all round last time I did that test, but today get the same as you


Supported versions is draft - https://tools.ietf.org/id/draft-ietf-tls-tls13-23.html
Keyshare is draft - https://tools.ietf.org/html/draft-bzwu- ... eyshare-01
Extended Master Secret extension for TLS is a proposed standard - https://tools.ietf.org/html/rfc7627

It seem to me that NIST is jumping the gun

Thanks Matt, it certainly would seem that way. I guess they are just wanting compliance for NIST to be a very exclusive club :? ? Guess that just leaves OCSP Stapling for HIPAA compliance. Did you ever achieve this?
SorenR wrote:
2020-04-19 21:09
I designed my IDS system to ban sender if no email is received after 4+ connect. The banning process is an autonomous process run every 60 seconds. Actually, I am thinking about reducing time to 30 seconds.

The thing is... How secure is a system you can't probe?

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.
Not a bad way to be. I actually got sick of the constant probing so as of a few days ago I started using an external MX service now which I use as a smart relay in hMail. Has meant I can tighten my config right up (at least compared to what it was) as I don't have to worry about supporting old, insecure ciphers and I imagine I'll even disable greylisting and tighten in SMTP access so only those servers specified in my MX records.
Dominic Ryan
astroroad.com.au

User avatar
SorenR
Senior user
Senior user
Posts: 3748
Joined: 2006-08-21 15:38
Location: Denmark

Re: Chasing the perfect security score

Post by SorenR » 2020-04-21 15:37

brashquido wrote:
2020-04-21 14:51
Not a bad way to be. I actually got sick of the constant probing so as of a few days ago I started using an external MX service now which I use as a smart relay in hMail. Has meant I can tighten my config right up (at least compared to what it was) as I don't have to worry about supporting old, insecure ciphers and I imagine I'll even disable greylisting and tighten in SMTP access so only those servers specified in my MX records.
Oh then you are in for a treat... I had to come up with a few functions to maintain AutoBan and reject mails I don't want... Anyways, I killed the Backup-MX when I switched ISP's earlier this year.
SørenR.

“Those who don't know history are doomed to repeat it.”
― Edmund Burke

User avatar
mattg
Moderator
Moderator
Posts: 21040
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Chasing the perfect security score

Post by mattg » 2020-04-22 13:54

brashquido wrote:
2020-04-21 14:51
I guess they are just wanting compliance for NIST to be a very exclusive club :? ? Guess that just leaves OCSP Stapling for HIPAA compliance. Did you ever achieve this?
You have a green tile for HIPAA, so that is a pass for you

I get the same as you do

A+ with all green, except NIST
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

brashquido
Normal user
Normal user
Posts: 249
Joined: 2006-06-26 07:14
Location: Melbourne, Australia
Contact:

Re: Chasing the perfect security score

Post by brashquido » 2020-04-24 16:44

mattg wrote:
2020-04-22 13:54
You have a green tile for HIPAA, so that is a pass for you

I get the same as you do

A+ with all green, except NIST
It is a pass, but not compliance. I'd need the OCSP Stapling for compliance, such as this;

https://www.immuniweb.com/ssl/?id=2zC2VSPt

Not too fused either way.
Dominic Ryan
astroroad.com.au

User avatar
mattg
Moderator
Moderator
Posts: 21040
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Chasing the perfect security score

Post by mattg » 2020-05-18 06:01

Just worked this out (NGINX)

Added --staple-ocsp to my certbot command
Added this to my NGINX config file

Code: Select all

		ssl_stapling on;
		ssl_stapling_verify on;
		ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
Tested TWICE on https://www.immuniweb.com/ssl

Now I get A+
PCI DSS compliant
HIPPA compliant
NIST compliant
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Post Reply