I use the built-in script provided from RHEL/CentOS to generate a private key. The location is under /etc/ssl/cert, by typing

make site.key

It will generate a private key. Its actual command is:

openssl genrsa -aes128 2048 

You can adjust the key size for your own needs, but at least 2048 is needed for a relatively secure certificate.

Then we make its CSR by typing:

make site.csr

The actual command is:

openssl req -new -key site.key -out site.csr -aes256

The name site must be the same as the key name for the script to work. You can now copy and paste the CSR to whoever your trusted SSL Certificate Provider to sign. It doesn’t matter who choose to sign it as long as your user and you trust it, therefore I used CACert.org

Before we do anything else, we need to generate a different DH param. Let’s cd into /etc/nginx/ssl (or whatever you prefer), and do the following command:

openssl dhparam -out dhparams.pem 2048

Now we generate a custom DH param for securer DH. In the configuration next, we will use it.

Next, we need to setup a website that runs on SSL. Choosing the cipher is the most important part that prevents most of the crackers cracking decipher your server’s communication. The httpd side of software I choose is nginx, I like its versatility and efficiency.

Inside the server block, we must have the following lines:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256: DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;

ssl_dhparam /etc/nginx/ssl/dhparams.pem;

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; # includeSubdomains only needed for the whole site encryption. You may or may not need it.

# The following settings only works with CA certified certs, not self-signed certs.
ssl_stapling on; 
resolver 8.8.8.8;
ssl_trusted_certificate /etc/nginx/ssl/root.crt; # Your CA Root cert.

The main purpose of Line 1 is to stop accepting requests from insecure protocols such as SSLv2, Line 2 restricts the cipher we will be using, and stop some insecure ciphers such as MD5 and RC4. If we add RC4 back on the list, we eliminate the chance to get BEAST attack, but will suffer RC4 attack. By removing RC4, some of the older browsers will not support visiting the website and possible to suffer BEAST attack. The future trend is, RC4 attack will get more sophisticated, and chance of BEAST attack will get smaller, I’d recommend to remove RC4 from the list.

Line 4 and 5 are for the SSL reuse, this can improve the performance. Line 6, 7, 8 are related to OCSP stapling, it enables the server to check the OCSP status, which can check the revocation of the certificates. The root.crt is the Class 1 PKI key of your CA.

Go to SSLLabs for a test, you might get an A+ if your signing authority is trusted!

Read more:
http://crypto.stackexchange.com/questions/8933/how-can-i-use-ssl-tls-with-perfect-forward-secrecy
https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy
http://googleonlinesecurity.blogspot.co.uk/2014/08/https-as-ranking-signal_6.html
https://istlsfastyet.com/?utm_source=wmx_blog&utm_medium=referral&utm_campaign=tls_en_post
http://chimera.labs.oreilly.com/books/1230000000545/ch04.html#TLS_RECORD_SIZE
https://gist.github.com/plentz/6737338
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_trusted_certificate
http://nginx.com/blog/nginx-poodle-ssl/
https://weakdh.org/sysadmin.html

Changelog:
2014.08.13 – Added 3DES back to cipher suites for Windows XP compability.
2014.10.17 – SSLv3 support is removed (POODLE). Strict Transport Security is added.
2015.03.03 – RC4 removed and banned.
2015.06.02 – Update DH strength

Nginx is more and more widely used in recent years, so the filter rules will be based on nginx settings.

The following rules are derived from HackRepair.com, generated by iTheme Security:

if ($http_user_agent ~* "^[Ww]eb[Bb]andit"){ return 403; }
if ($http_user_agent ~* "^binlar"){ return 403; }
if ($http_user_agent ~* "^BlackWidow"){ return 403; }
if ($http_user_agent ~ "^Bolt"){ return 403; }
if ($http_user_agent ~* "^casper"){ return 403; }
if ($http_user_agent ~* "^ChinaClaw"){ return 403; }
if ($http_user_agent ~* "^cmsworldmap"){ return 403; }
if ($http_user_agent ~* "^comodo"){ return 403; }
if ($http_user_agent ~* "^Custo"){ return 403; }
if ($http_user_agent ~ "^Default"){ return 403; }
if ($http_user_agent ~* "^diavol"){ return 403; }
if ($http_user_agent ~* "^DIIbot"){ return 403; }
if ($http_user_agent ~* "^DISCo"){ return 403; }
if ($http_user_agent ~* "^dotbot"){ return 403; }
if ($http_user_agent ~* "^eCatch"){ return 403; }
if ($http_user_agent ~* "^EirGrabber"){ return 403; }
if ($http_user_agent ~* "^EmailCollector"){ return 403; }
if ($http_user_agent ~* "^EmailSiphon"){ return 403; }
if ($http_user_agent ~* "^EmailWolf"){ return 403; }
if ($http_user_agent ~* "^ExtractorPro"){ return 403; }
if ($http_user_agent ~* "^EyeNetIE"){ return 403; }
if ($http_user_agent ~* "^feedfinder"){ return 403; }
if ($http_user_agent ~* "^FlashGet"){ return 403; }
if ($http_user_agent ~* "^flicky"){ return 403; }
if ($http_user_agent ~* "^GetRight"){ return 403; }
if ($http_user_agent ~* "^GetWeb!"){ return 403; }
if ($http_user_agent ~* "^Go-Ahead-Got-It"){ return 403; }
if ($http_user_agent ~* "^Go!Zilla"){ return 403; }
if ($http_user_agent ~* "^GrabNet"){ return 403; }
if ($http_user_agent ~* "^Grafula"){ return 403; }
if ($http_user_agent ~* "^HMView"){ return 403; }
if ($http_user_agent ~* "^ia_archiver"){ return 403; }
if ($http_user_agent ~* "^InterGET"){ return 403; }
if ($http_user_agent ~* "^InternetSeer.com"){ return 403; }
if ($http_user_agent ~* "^jakarta"){ return 403; }
if ($http_user_agent ~* "^Java"){ return 403; }
if ($http_user_agent ~* "^JetCar"){ return 403; }
if ($http_user_agent ~* "^kmccrew"){ return 403; }
if ($http_user_agent ~* "^larbin"){ return 403; }
if ($http_user_agent ~* "^LeechFTP"){ return 403; }
if ($http_user_agent ~* "^Link"){ return 403; }
if ($http_user_agent ~* "^Maxthon$"){ return 403; }
if ($http_user_agent ~* "^microsoft.url"){ return 403; }
if ($http_user_agent ~* "^Mozilla.*Indy"){ return 403; }
if ($http_user_agent ~* "^Mozilla.*NEWT"){ return 403; }
if ($http_user_agent ~* "^MSFrontPage"){ return 403; }
if ($http_user_agent ~* "^Navroad"){ return 403; }
if ($http_user_agent ~* "^NearSite"){ return 403; }
if ($http_user_agent ~* "^NetAnts"){ return 403; }
if ($http_user_agent ~* "^NetSpider"){ return 403; }
if ($http_user_agent ~* "^NetZIP"){ return 403; }
if ($http_user_agent ~* "^nutch"){ return 403; }
if ($http_user_agent ~* "^Octopus"){ return 403; }
if ($http_user_agent ~* "^PageGrabber"){ return 403; }
if ($http_user_agent ~* "^pavuk"){ return 403; }
if ($http_user_agent ~* "^pcBrowser"){ return 403; }
if ($http_user_agent ~* "^PeoplePal"){ return 403; }
if ($http_user_agent ~* "^planetwork"){ return 403; }
if ($http_user_agent ~* "^psbot"){ return 403; }
if ($http_user_agent ~* "^purebot"){ return 403; }
if ($http_user_agent ~* "^pycurl"){ return 403; }
if ($http_user_agent ~* "^RealDownload"){ return 403; }
if ($http_user_agent ~* "^ReGet"){ return 403; }
if ($http_user_agent ~* "^Rippers"){ return 403; }
if ($http_user_agent ~* "^SeaMonkey$"){ return 403; }
if ($http_user_agent ~* "^sitecheck.internetseer.com"){ return 403; }
if ($http_user_agent ~* "^SiteSnagger"){ return 403; }
if ($http_user_agent ~* "^skygrid"){ return 403; }
if ($http_user_agent ~* "^SmartDownload"){ return 403; }
if ($http_user_agent ~* "^sucker"){ return 403; }
if ($http_user_agent ~* "^SuperBot"){ return 403; }
if ($http_user_agent ~* "^SuperHTTP"){ return 403; }
if ($http_user_agent ~* "^Surfbot"){ return 403; }
if ($http_user_agent ~* "^tAkeOut"){ return 403; }
if ($http_user_agent ~* "^Teleport"){ return 403; }
if ($http_user_agent ~* "^Toata"){ return 403; }
if ($http_user_agent ~* "^turnit"){ return 403; }
if ($http_user_agent ~* "^vikspider"){ return 403; }
if ($http_user_agent ~* "^VoidEYE"){ return 403; }
if ($http_user_agent ~* "^WebAuto"){ return 403; }
if ($http_user_agent ~* "^WebCopier"){ return 403; }
if ($http_user_agent ~* "^WebFetch"){ return 403; }
if ($http_user_agent ~* "^WebLeacher"){ return 403; }
if ($http_user_agent ~* "^WebReaper"){ return 403; }
if ($http_user_agent ~* "^WebSauger"){ return 403; }
if ($http_user_agent ~* "^WebStripper"){ return 403; }
if ($http_user_agent ~* "^WebWhacker"){ return 403; }
if ($http_user_agent ~* "^WebZIP"){ return 403; }
if ($http_user_agent ~* "^Wget"){ return 403; }
if ($http_user_agent ~* "^Widow"){ return 403; }
if ($http_user_agent ~* "^WWW-Mechanize"){ return 403; }
if ($http_user_agent ~* "^WWWOFFLE"){ return 403; }
if ($http_user_agent ~* "^Zeus"){ return 403; }
if ($http_user_agent ~* "^zmeu"){ return 403; }
if ($http_user_agent ~* "CazoodleBot"){ return 403; }
if ($http_user_agent ~* "discobot"){ return 403; }
if ($http_user_agent ~* "ecxi"){ return 403; }
if ($http_user_agent ~* "GT::WWW"){ return 403; }
if ($http_user_agent ~* "heritrix"){ return 403; }
if ($http_user_agent ~* "HTTP::Lite"){ return 403; }
if ($http_user_agent ~* "HTTrack"){ return 403; }
if ($http_user_agent ~* "ia_archiver"){ return 403; }
if ($http_user_agent ~* "id-search"){ return 403; }
if ($http_user_agent ~* "id-search.org"){ return 403; }
if ($http_user_agent ~* "IDBot"){ return 403; }
if ($http_user_agent ~* "IRLbot"){ return 403; }
if ($http_user_agent ~* "LinksManager.com_bot"){ return 403; }
if ($http_user_agent ~* "linkwalker"){ return 403; }
if ($http_user_agent ~* "lwp-trivial"){ return 403; }
if ($http_user_agent ~* "MFC_Tear_Sample"){ return 403; }
if ($http_user_agent ~* "panscient.com"){ return 403; }
if ($http_user_agent ~* "PECL::HTTP"){ return 403; }
if ($http_user_agent ~* "PHPCrawl"){ return 403; }
if ($http_user_agent ~* "PleaseCrawl"){ return 403; }
if ($http_user_agent ~* "SBIder"){ return 403; }
if ($http_user_agent ~* "Snoopy"){ return 403; }
if ($http_user_agent ~* "Steeler"){ return 403; }
if ($http_user_agent ~* "URI::Fetch"){ return 403; }
if ($http_user_agent ~* "urllib"){ return 403; }
if ($http_user_agent ~* "User-Agent"){ return 403; }
if ($http_user_agent ~* "webalta"){ return 403; }
if ($http_user_agent ~* "WebCollage"){ return 403; }
if ($http_user_agent ~* "zermelo"){ return 403; }
if ($http_user_agent ~* "ZyBorg"){ return 403; }

I didn’t use all of those, some might be genuine browser user agent, like Maxthon

The following rules are to block WordPress specific locations and files. For other web programmes you can change the directories to whatever suits you.

# Rules to block access to WordPress specific files and wp-includes
location ~ /\.ht { deny all; }
location ~ wp-config.php { deny all; }
location ~ readme.html { deny all; }
location ~ readme.txt { deny all; }
location ~ /install.php { deny all; }
location ^wp-includes/(.*).php { deny all; }
location ^/wp-admin/includes(.*)$ { deny all; }

Block execution of use-uploaded .php files.

# Rules to prevent php execution in uploads
location ^(.*)/uploads/(.*).php(.?){ deny all; }

Block suspicious URLs:

# Rules to block suspicious URIs
set $susquery 0;
if ($args ~* "\.\./") { set $susquery 1; }
if ($args ~* "\.(bash|git|hg|log|svn|swp|cvs)") { set $susquery 1; }
if ($args ~* "etc/passwd") { set $susquery 1; }
if ($args ~* "boot.ini") { set $susquery 1; }
if ($args ~* "ftp:") { set $susquery 1; }
if ($args ~* "http:") { set $susquery 1; }
if ($args ~* "https:") { set $susquery 1; }
if ($args ~* "(<|%3C).*script.*(>|%3E)") { set $susquery 1; }
if ($args ~* "mosConfig_[a-zA-Z_]{1,21}(=|%3D)") { set $susquery 1; }
if ($args ~* "base64_encode") { set $susquery 1; }
if ($args ~* "(%24&x)") { set $susquery 1; }
if ($args ~* "("|'|<|>|\|{|||%24&x)"){ set $susquery 1; }
if ($args ~* "(127.0)") { set $susquery 1; }
if ($args ~* "(globals|encode|localhost|loopback)") { set $susquery 1; }
# Note this might will cause some problems, such as WordPress plugin/theme update.
# .../update.php?action=update-selected...
if ($args ~* "(request|select|insert|concat|union|declare)") { set $susquery 1; } 
if ($susquery = 1) { return 403; }

Rules to help reduce spam

location /wp-comments-post.php {
valid_referers jetpack.wordpress.com/jetpack-comment/ *.luxing.im;
set $rule_0 0;
if ($request_method ~ "POST"){ set $rule_0 1$rule_0; }
if ($invalid_referer) { set $rule_0 2$rule_0; }
if ($http_user_agent ~ "^$"){ set $rule_0 3$rule_0; }
if ($rule_0 = "3210") { return 403; }
}