根据可接受的密码列表,检查 vRealize Automation 设备 RabbitMQ 服务密码,并禁用所有弱密码。

关于此任务

禁用不提供身份验证的密码套件,如 NULL 密码套件、aNULL 或 eNULL。此外,禁用匿名 Diffie-Hellman 密钥交换 (ADH)、导出级别密码(EXP,包含 DES 的密码)、IDEA 密码套件和 RC4 密码套件,并禁止使用小于 128 位的密钥大小加密负载流量或将 MD5 用作负载流量的哈希机制。

过程

  1. 评估受支持的密码套件,方法是运行 # /usr/sbin/rabbitmqctl eval 'ssl:cipher_suites().' 命令。

    下述示例中返回的密码仅表示受支持的密码。RabbitMQ 服务器不使用或通告这些密码,除非在 rabbitmq.config 文件中配置为执行此操作。

    ["ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384",
     "ECDHE-ECDSA-AES256-SHA384","ECDHE-RSA-AES256-SHA384",
     "ECDH-ECDSA-AES256-GCM-SHA384","ECDH-RSA-AES256-GCM-SHA384",
     "ECDH-ECDSA-AES256-SHA384","ECDH-RSA-AES256-SHA384",
     "DHE-RSA-AES256-GCM-SHA384","DHE-DSS-AES256-GCM-SHA384",
     "DHE-RSA-AES256-SHA256","DHE-DSS-AES256-SHA256","AES256-GCM-SHA384",
     "AES256-SHA256","ECDHE-ECDSA-AES128-GCM-SHA256",
     "ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES128-SHA256",
     "ECDHE-RSA-AES128-SHA256","ECDH-ECDSA-AES128-GCM-SHA256",
     "ECDH-RSA-AES128-GCM-SHA256","ECDH-ECDSA-AES128-SHA256",
     "ECDH-RSA-AES128-SHA256","DHE-RSA-AES128-GCM-SHA256",
     "DHE-DSS-AES128-GCM-SHA256","DHE-RSA-AES128-SHA256","DHE-DSS-AES128-SHA256",
     "AES128-GCM-SHA256","AES128-SHA256","ECDHE-ECDSA-AES256-SHA",
     "ECDHE-RSA-AES256-SHA","DHE-RSA-AES256-SHA","DHE-DSS-AES256-SHA",
     "ECDH-ECDSA-AES256-SHA","ECDH-RSA-AES256-SHA","AES256-SHA",
     "ECDHE-ECDSA-DES-CBC3-SHA","ECDHE-RSA-DES-CBC3-SHA","EDH-RSA-DES-CBC3-SHA",
     "EDH-DSS-DES-CBC3-SHA","ECDH-ECDSA-DES-CBC3-SHA","ECDH-RSA-DES-CBC3-SHA",
     "DES-CBC3-SHA","ECDHE-ECDSA-AES128-SHA","ECDHE-RSA-AES128-SHA",
     "DHE-RSA-AES128-SHA","DHE-DSS-AES128-SHA","ECDH-ECDSA-AES128-SHA",
     "ECDH-RSA-AES128-SHA","AES128-SHA"]
    
  2. 选择满足您组织安全要求的受支持密码。

    例如,要仅允许 ECDHE-ECDSA-AES128-GCM-SHA256 & ECDHE-ECDSA-AES256-GCM-SHA384,请检查 /etc/rabbitmq/rabbitmq.config 文件并将以下行添加到 ssl 和 ssl_options。

    {ciphers, [“ECDHE-ECDSA-AES128-GCM-SHA256”, “ECDHE-ECDSA-AES256-GCM-SHA384”]}

  3. 使用以下命令重新启动 RabbitMQ 服务器。

    service rabbitmq-server restart