Comments on How to secure your ISPConfig 3 server against the poodle SSL attack
How to secure your ISPConfig 3 server against the poodle SSL attack In the following guide I will describe the steps to secure your server against the recent poodle SSL attack. I will use a ISPConfig 3 perfect server on Debian 7 for my examples, but the same steps will work on any other Linux Distribution as well. A default ISPConfig hosting server runs the following services: Webserver (Nginx or apache), Mailserver (Postfix and Dovecot / Courier), FTP-Server (pure-ftpd) that offer SSL / TLS connections and are potential targets for a poodle attack.
20 Comment(s)
Comments
hi guys i apply this changes on my debian 7 (isp config 3.0.5.4p4) but now i dont login with filezilla in my ftp accounts. And i see this error in my isp panel status of services. Please help me.
| FTP-Server: |
Offline
|
After a reboot, on all of them service runs correctly
POP3DSSLSTART=NO and IMAPDSSLSTART=NO will actually disable the secure daemons completely! keep both on YES if you want to use those services.
how about site/ssl generate? neet to switch all to sha-256. ispconfig3 (3.0.5p4) generate deprecated sha1
The article mentions mitigation in Dovecot >= 2.1 only. To mitigate the attack in Dovecot 2.0, edit /etc/dovecot/conf.d/10-ssl.conf and add the following line to the bottom: ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL Then, restart Dovecot with "service dovecot restart" (as root user -- or use "sudo" as appropriate).
I think the correct is
'TLSCipherSuite' => ['-j %s', \&parse_string],
not capital J. With capital in ubuntu gives an error
/usr/sbin/pure-ftpd-mysql-virtualchroot: invalid option -- 'J'
The Option -j exists to create a homedir, it is not related to ssl. Maybe the pure-ftpd on your Server does not Support the -J Option yet. On Debian, were I tested the guide, the -J Option exists. From pure-ftpd manpage n Debian 7:
-J --tlsciphersuite
I have to check. I have ubuntu..
Run:
man pure-ftpd
to get the manpage. If it does not list -J Option on your Server, then this pure-ftpd Version does not support to restrict the SSL mode.
It doesn't work on Debian 6 (Squeeze). The "-J" switch is missing.
And what setting would be sufficient for courier?
I followed directions above but when I try to restart PURE FTP I get this
service pure-ftpd-mysql restart
Restarting ftp server: /usr/sbin/pure-ftpd-wrapper: Invalid configuration file /etc/pure-ftpd/conf/TLS: No corresponding directive
'TLS' => ['-Y %d', \&parse_number_1],
Add the TLSCipherSuite right after TLS:
'TLSCipherSuite' => ['-J %s', \&parse_string],
worked for me (Debian 7)
Hello. I did the changes above about Pure-FTP
My looks like this:
Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf - l pam -E -J HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3 -b -H -u 1000 -8 UTF-8 -O clf:/var/log/pure-ftpd/transfer.log -Y 1 -D -A -B
Is that ok?
Thats ok, the important part is:
-J HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3
I get this error when following the instruction for dovecot: Unknown setting: ssl_protocols. How to fix this? Thanks!
Did you check the dovecot Version as described in the guide? Only dovecot 2.1 and newer supports SSL protocol Settings.
Bad request: The IMAP server is reporting that plain text logins are disabled. Using CRAM-MD5 or DIGEST-MD5 authentication instead may work. Also, the use of TLS may allow SquirrelMail to login. Please contact your system administrator and report this error.
when I turn on the login TLS in SqMail config.php in
2. Server Settings
A. Update IMAP Settings : localhost:143 (other)
7. Secure IMAP (TLS) : true
I have nex error massage from SqMail
Error connecting to IMAP server: tls://localhost.
0 :
Before the security changes everything worked properly.
Hi,
When i add: ssl_protocols = !SSLv2 !SSLv3
and restart dovecot. Mail.app OSX app cannot connect the accounts anymore. Or do i need to reconfigure them in Mail.app?