Get your server issues fixed by our experts for a price starting at just 25 USD/Hour. Click here to register and open a ticket with us now!
« previous next »
Pages: [1]   Go Down

Author Topic: How to protect server from POODLE Attack Exploiting SSL 3.0 Fallback  (Read 1963 times)

0 Members and 1 Guest are viewing this topic.

vichithrakumart

  • Guest
How to protect server from POODLE Attack Exploiting SSL 3.0 Fallback
« on: March 31, 2018, 11:14:12 am »
The following script can be used to check if a system is vulnerable. For the parameter, specify the actual server IP:

Code: [Select]
# wget https://support.plesk.com/hc/article_attachments/115004518545/poodle.zip
# unzip poodle.zip
# chmod +x poodle.sh
# for i in `echo 21 587 443 465 7081 8443 993 995 `; do /bin/sh /root/poodle.sh <IP> $i; done
Disable SSLv3 server-wide

Download this script and run
https://support.plesk.com/hc/article_attachments/115004385869/ssl_v3_disable.zip

Disable SSLv3 for Plesk service
As Plesk uses the same SSL engine, the sw-cp-server service should be configured to protect against the SSLv3 vulnerability. For Plesk for Linux do the following

1. Connect to server over SSH.
2. Edit /etc/sw-cp-server/config file. In the http section, add the following:
Code: [Select]
sudo service sw-cp-server restart
Disable SSLv3 for Nginx service
If you are running Nginx, do the following:
1. Connect to server over SSH.
2. Add the following line in your configuration among the other SSL directives in the /etc/nginx/nginx.conf:
Code: [Select]
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;For all sites on Plesk 12.0 for Linux:
Code: [Select]
# MYSQL_PWD=`cat /etc/psa/.psa.shadow` mysqldump -u admin psa > psa_backup.sql
# MYSQL_PWD=`cat /etc/psa/.psa.shadow` mysql -u admin psa
mysql> insert into misc values('disablesslv3', 'true');3. Rebuild configurtion for Apache and Nginx:
Code: [Select]
/usr/local/psa/admin/bin/httpdmng --reconfigure-all
Disable SSLv3 or Dovecot IMAP/POP3 service
1. Connect to server over SSH.
2. Add the following line in /etc/dovecot/dovecot.conf:
Code: [Select]
ssl_protocols = !SSLv2 !SSLv33. Restart the service:
Code: [Select]
sudo service dovecot restart
Disable SSLv3 for Courier IMAP service
1. Connect to server over SSH.
2. Edit the following files:

/etc/courier-imap/pop3d-ssl

/etc/courier-imap/imapd-ssl

Add or modify the TLS_PROTOCOL and TLS_CIPHER_LIST directives so they look like:
Code: [Select]
TLS_PROTOCOL=TLSv1+
TLS_CIPHER_LIST="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
3. Restart the services:
Code: [Select]
# sudo service courier-imaps restart
# sudo service courier-pop3s restart
Disable SSLv3 for Postfix SMTP service
For 'opportunistic SSL' (where the encryption policy is not enforced and plain is acceptable), no need to make any changes.

If it is required to disable SSLv3 for opportunistic encryption, do the following:
1. Connect to server over SSH.

2. If "mandatory SSL" mode is already configured, add/change the smtpd_tls_mandatory_protocols setting. Add the following string to the /etc/postfix/main.cf</code > file:
Code: [Select]
smtpd_tls_protocols=!SSLv2,!SSLv3
smtp_tls_protocols=!SSLv2,!SSLv3
3. Restart Postfix:
Code: [Select]
# sudo service postfix restart
It is possible to verify whether SSLv3 is disabled using the following command:
Code: [Select]
# openssl s_client -connect localhost:465 -ssl3
If SSLv3 is disabled, output should look like:
Code: [Select]
CONNECTED(00000003)
139808606107464:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40
139808606107464:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
Disable SSLv3 for Qmail MTA

1. Connect to server over SSH.
2. Create (or edit) the /var/qmail/control/tlsserverciphers file so it looks like:
Code: [Select]
EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH+3DES

Disable SSLv3 for ProFTPD server
1. Connect to server over SSH.

2. Create and edit the /etc/proftpd.d/60-nosslv3.conf file by adding the following lines:
Code: [Select]
<IfModule mod_tls.c>
TLSProtocol TLSv1
TLSCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
</IfModule>
3. Make sure the created configuration file is included in proftpd configuration. If missed, add to /etc/proftpd.conf the following line:
Code: [Select]
Include /etc/proftpd.d/*.conf
4. Restart the service daemon:
Code: [Select]
# service xinetd restart


Logged
Pages: [1]   Go Up
« previous next »