Bobcares

Protecting your DirectAdmin server from SSLv3 POODLE vulnerability

by | Oct 17, 2014

UPDATE 17th Oct – Some browsers like Firefox and IE 6 are reporting issues when SSLv3 is disabled. Fortunately, SSLv3 fix is available from OpenSSL, and major distros would soon be putting it to their repos. SSLv3 disabling can soon be done in a phased manner. Check comments for more info.

On Oct 14th Google published details of an SSL 3.0 vulnerability, which allows an attacker to secure session through a man-in-the-middle attack. Support for SSL 3.0 is available in all popular mail, ftp and web clients, which makes all your clients vulnerable to an exploit based on this bug. Since SSL 3.0 is an 18 year old obsolete technology, we recommend it to be disabled in all DirectAdmin servers.
Read : Top 7 SSL/TLS deployment best practices

Hire Bobcares Linux Server Administrators
Get super reliable servers and delighted customers

See how we do it!

 

Pro-active Server Management service at Bobcares was notified of this vulnerability on 14th, and all servers that we maintain were secured against this vulnerability by disabling CBC ciphers.

Here is a quick script for you to check if your DirectAdmin server is vulnerable. Execute the following as root. If you get ANY cipher output, your server can be considered vulnerable.

for port in 21 443 465 993 995 2223; do echo "Scanning $port"; for cipher in $(openssl ciphers -sslv3 'ALL:eNULL' | sed -e 's/:/ /g'); do echo -n | openssl s_client -sslv3 -cipher "$cipher" -connect xxx.xxx.xxx.xxx:$port 2>&1 | grep -i "Cipher is"; done; done

Replace xxx.xxx.xxx.xxx with your server IP.

Not comfortable doing the scan yourself? We can help!

 

Scan & Secure My Server

 

In DirectAdmin, 4 services need to be secured; viz, HTTP, POP3, IMAP, SMTP and DirectAdmin Web. Here is how we disabled SSL 3.0 in our servers:

 

HTTP – Apache / Nginx

To fix Apache,

Edit /etc/httpd/conf/extra/httpd-ssl.conf and add the following among the other SSL entries:

SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+
SSLHonorCipherOrder on

Reconfigure Apache.

To fix Nginx,

Change the below directive as shown in the files /usr/local/directadmin/data/templates/nginx_ips.conf, /usr/local/directadmin/data/templates/nginx_server_secure.conf, /usr/local/directadmin/data/templates/nginx_server_secure_sub.conf, /etc/nginx/directadmin-ips.conf and /etc/nginx/nginx-vhosts.conf

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Reconfigure Nginx.

 

SMTP – Exim

Add the following line in /etc/exim.conf

openssl_options = +no_sslv3
tls_require_ciphers = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

Restart Exim.

POP/IMAP – Dovecot

Edit the line in /etc/dovecot/dovecot.conf as shown below:

ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

Restart Dovecot.

 

FTP – Pure-FTPd / ProFTPd

To fix Pure-FTPd,

Edit the files /etc/init.d/pure-ftpd  and /usr/libexec/pureftpd_startscript, and modify the start options as shown below:

OPTIONS="${OPTIONS} -Y 1 -J HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3"

To fix ProFTPd,

Edit /etc/proftpd.conf and modify the lines below:

TLSProtocol TLSv1
TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3

 

DirectAdmin Panel

Edit the file /usr/local/directadmin/conf/directadmin.conf, and add the options as below:

ssl_cipher=ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP

 

Not sure if your servers are patched? We can take a quick look, and fix your servers at just $15 / server.

Fix My Server Now!

Sign up for Proactive Server Management today, and get your servers automatically secured against zero-day exploits.

Keep My Server Secured!

1 Comment

  1. Visakh S

    @Amal earlier reported issues with customers using IE 6 and Firefox unable to connect to web services when SSLv3 is enabled. The good news is that, you may not be required to disable SSLv3 after-all. A patch is released by OpenSSL: https://www.openssl.org/news/secadv_20141015.txt

    The updated packages are yet to reach major repos. Just now checked CentOS, and its still showing older versions. I’m sure it will be available later today, and then its only a matter of doing:

    In CentOS / Redhat / Cloud Linux / Fedora servers

    # yum -y update openssl

    In Ubuntu / Debian servers

    # apt-get update && apt-get install openssl

    In OpenSuse servers

    # zypper patch --cve=CVE-2014-3566

    OpenSSL 1.0.1 should be upgraded to 1.0.1j
    OpenSSL 1.0.0 should be upgraded to 1.0.0o
    OpenSSL 0.9.8 should be upgraded to 0.9.8zc

Never again lose customers to poor
server speed! Let us help you.