#### howto

There are a few simple steps to protect yourself by generating your own Diffie-Hellman primes.

To protect ssh, edit the file /etc/ssh/moduli and comment lines where the 5th field is less than 2047:

---

# $OpenBSD: moduli,v 1.8 2012/08/29 05:06:54 dtucker Exp $

# Time Type Tests Tries Size Generator Modulus

#20120821044040 2 6 100 1023 5 D927...

…

#20120821044502 2 6 100 1535 5 D139...

…

20120821045639 2 6 100 2047 2 DD20...

---

To protect TLS for HTTPS, compute your own Diffie-Hellman primes like so:

---

[root@limsprd ~]# openssl dhparam -out foo 2048

Generating DH parameters, 2048 bit long safe prime, generator 2

This is going to take a long time

...+..+..***...

[root@limsprd ~]# cat foo

-----BEGIN DH PARAMETERS-----

MIIBCAKCAQEAnRcLNdZeit18uYSAtEeumAOKIlAvkH5XLVw3V+jbltAjH09RJa8i

n+8bZlLGO7Rg01Exlf3FqMyK5uJTE3FkkCD2Xmv/UR+YS2c4XjzBfxELVC1C8V0J

fvgge4plUX04gG1AN3uwsLp6DgC4Ee06hEuKG6Nh6YX5tHawmPwsRqPM7GRjD4Rc

GYUJCWxh6lKuf63rHUwBH8i44FrQtJHL4lbbqxqQM1K3c2R/g+EcPoTd2VLxlT8y

gbN2rKsSi6/VggOSZ9f8DHNJB5lpuZgd6k7VymCAvc+mtFWVpBvSOWxaT7Wo5wLe

ID3exEDZl/DTDuijs/Tc0zPtoyC7vOPxawIBAg==

-----END DH PARAMETERS-----

Then add the BEGIN/END block above immediately after the “END CERTIFICATE” statement for your public key.

For more discussion on hardening your encryption settings, see these resources:

https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/

https://stribika.github.io/2015/01/04/secure-secure-shell.html