Get your server issues fixed by our experts for a price starting at just 25 USD/Hour. Click here to register and open a ticket with us now!
« previous next »
Pages: [1]   Go Down

Author Topic: How To: Disable SSLv2 and SSLv3 Poodle attack and TLSv1  (Read 2287 times)

0 Members and 1 Guest are viewing this topic.

nidhinjo

  • Guest
How To: Disable SSLv2 and SSLv3 Poodle attack and TLSv1
« on: March 31, 2018, 10:55:57 am »
 CVE-2014-3566 vulnerability in the SSLv3 protocol was identified by the Google security team. There is an additional whitepaper available from OpenSSL that also describes this vulnerability.

You can check if you are vulnerable using the following script. For the parameter, specify your server IP:
Code: [Select]
wget http://kb.odin.com/Attachments/kcs-40007/poodle.zip
unzip poodle.zip
chmod +x poodle.sh
for i in `echo 21 587 443 465 7081 8443 993 995 `; do /bin/sh /root/poodle.sh <IP> $i; done
Resolution

The attack described above requires an SSL 3.0 connection to be established, so disabling the SSL 3.0 protocol in the client or the server (or both) will deflect a potential attack.

It is strongly recommended you update the openssl package.
The best option is disabling SSLv3 support.

You can use the special scripts below to disable SSLv3 for all services:

    >>for Linux - Disables Apache, nginx, proftpd, courier-imap, qmail, postfix, dovecot, Plesk server engine (for versions 11.5 and later).
    >>for Windows - Disables SSLv3 server-wide (WARNING: A server reboot will be required).

See the following instructions on disabling SSLv3 for each service. The same instructions are applicable if your server has already been patched with pci_compliance_resolver.

As Plesk uses the same SSL engine, the sw-cp-server service should be configured to protect against the SSLv3 vulnerability.

1.)Plesk 11.5 and later

Edit '/etc/sw-cp-server/config'. In the http section, add:
Code: [Select]
ssl_protocols TLSv1.1 TLSv1.2;
Restart: sudo service sw-cp-server restart

2.)Plesk 11.0

Edit /usr/local/psa/admin/conf/ssl-conf.sh, adding echo 'ssl.use-sslv3 = "disable"' after the echo 'ssl.use-sslv2 = "disable"' directive. The file should look like:

Code: [Select]
echo 'ssl.engine = "enable"'
echo 'ssl.use-sslv2 = "disable"'
echo 'ssl.use-sslv3 = "disable"'
Restart:sudo service sw-cp-server restart

3.)Apache HTTPD Server

If you are running Apache, change your Apache configuration file (listed below are the default locations):

   a.) RedHat/CentOS /etc/httpd/conf.d/ssl.conf
   b.) Debian/Ubuntu /etc/apache2/mods-available/ssl.conf
   c.) SuSE /etc/apache2/ssl-global.conf

Include or change the following line in your Apache configuration file among the other SSL directives:

Code: [Select]
SSLProtocol All -SSLv2 -SSLv3
>>Run the following command to change the SSL settings in the PCI Compliance template.

Code: [Select]
mkdir -p /usr/local/psa/admin/conf/templates/custom/
mkdir -p /usr/local/psa/admin/conf/templates/custom/server/
cp /usr/local/psa/admin/conf/templates/pci_compliance/server/PCI_compliance.php /usr/local/psa/admin/conf/templates/custom/server/
sed -i 's/SSLProtocol -ALL +SSLv3 +TLSv1/SSLProtocol All -SSLv2 -SSLv3/g' /usr/local/psa/admin/conf/templates/custom/server/PCI_compliance.php
>>Then restart the Apache webserver:

Code: [Select]
/usr/local/psa/admin/bin/websrvmng -r
4.) Nginx server

If you are running Nginx, include the following line in your configuration among the other SSL directives in the /etc/nginx/nginx.conf:
Code: [Select]
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
>> Additionally, for all sites in Plesk 11.0 for Linux:

Code: [Select]
mkdir -p /usr/local/psa/admin/conf/templates/custom/
mkdir -p /usr/local/psa/admin/conf/templates/custom/domain/
cp /usr/local/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php /usr/local/psa/admin/conf/templates/custom/domain/

sed -i 's/ssl_protocols SSLv2 SSLv3 TLSv1;/ssl_protocols TLSv1 TLSv1.1 TLSv1.2;/g' /usr/local/psa/admin/conf/templates/custom/domain/nginxDomainVirtualHost.php
>> For all sites in Plesk 11.5 for Linux:

Code: [Select]
mkdir -p /usr/local/psa/admin/conf/templates/custom/
mkdir -p /usr/local/psa/admin/conf/templates/custom/domain/
cp /usr/local/psa/admin/conf/templates/default/nginxWebmailPartial.php /usr/local/psa/admin/conf/templates/custom/
cp /usr/local/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php /usr/local/psa/admin/conf/templates/custom/domain/

sed -i 's/ssl_protocols SSLv2 SSLv3 TLSv1;/ssl_protocols TLSv1 TLSv1.1 TLSv1.2;/g' /usr/local/psa/admin/conf/templates/custom/nginxWebmailPartial.php
sed -i 's/ssl_protocols SSLv2 SSLv3 TLSv1;/ssl_protocols TLSv1 TLSv1.1 TLSv1.2;/g' /usr/local/psa/admin/conf/templates/custom/domain/nginxDomainVirtualHost.php
>> For all sites in Plesk 12.0 for Linux:
Code: [Select]
mysqldump -uadmin -p`cat /etc/psa/.psa.shadow` psa > psa_backup.sql
mysql -uadmin -p`cat /etc/psa/.psa.shadow` psa
mysql> insert into misc values('disablesslv3', 'true');
>> Then, reconfigure Apache and Nginx:

Code: [Select]
/usr/local/psa/admin/bin/httpdmng --reconfigure-all
5.)Dovecot IMAP/POP3 server

Include the following line in /etc/dovecot/dovecot.conf
Code: [Select]
ssl_protocols = !SSLv2 !SSLv3
Restart the service:
Code: [Select]
sudo service dovecot restart
6.)Courier IMAP

Edit the following files:

Code: [Select]
vim /etc/courier-imap/pop3d-ssl

vim /etc/courier-imap/imapd-ssl
>> Add or modify the TLS_PROTOCOL and TLS_CIPHER_LIST directives so they look like:

Code: [Select]
TLS_PROTOCOL=TLSv1+
TLS_CIPHER_LIST="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
>>Restart the services:

Code: [Select]
sudo service courier-imaps restart
sudo service courier-pop3s restart
Now your server is secure from POODLE Attack Exploiting :)
Logged
Pages: [1]   Go Up
« previous next »