How to secure your ISPConfig 3 server against the poodle SSL attack

Version 1.2 
Author: Till Brehm<t [dot] brehm [at] howtoforge [dot] com> 
 Follow howtoforge on Twitter
Published   2014-10-16

In the following guide I will describe the steps to secure your server against the recent poodle SSL attack. I will use a ISPConfig 3 perfect server on Debian 7 for my examples, but the same steps will work on any other Linux Distribution as well. A default ISPConfig hosting server runs the following services: Webserver (Nginx or apache), Mailserver (Postfix and Dovecot / Courier), FTP-Server (pure-ftpd) that offer SSL / TLS connections and are potential targets for a poodle attack.

I assume that you are logged into your server as root user. If you work on Ubuntu and are not logged in as root, then prepend "sudo" to all commands or run "sudo -" to become root user.

Apache Webserver

To secure an apache webserver, the line

SSLProtocol all -SSLv2 -SSLv3

has to be added in each SSL vhost on the server. If the SSLProtocol setting is not explicitly set in a vhost, then the global setting gets applied. In case of a ISPConfig 3 server, the SSLProtocol setting can be set globally as the vhosts dont override that setting. On a Debian or Ubuntu Server, open the file /etc/apache2/mods-available/ssl.conf in a editor

nano /etc/apache2/mods-available/ssl.conf

scroll down until you see the lines:

# enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
SSLProtocol all -SSLv2

and change them to:

# enable only secure protocols: but not SSLv2 and SSLv3
SSLProtocol all -SSLv2 -SSLv3

Then restart apache

service apache2 restart

 

Nginx Webserver

For an nginx webserver, the line

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

has to be added in each SSL server { } serction. If the SSLProtocol setting is not explicitly set in a server { } section, then the global setting of the http { } section get applied. In case of a ISPConfig 3 server, the SSLProtocol setting can be set globally in http { } section as the server { } sections dont override that setting. On a Debian or Ubuntu Server, open the file /etc/nginx/nginx.conf in a editor

nano /etc/nginx/nginx.conf

and add the line:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

after the line:

http {

then restart nginx:

service nginx restart

 

Postfix mail server

To force postfix to not supply the SSLv2 and SSLv3 protocol, run these commands:

postconf -e 'smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3'
postconf -e 'smtpd_tls_protocols=!SSLv2,!SSLv3'
postconf -e 'smtp_tls_protocols=!SSLv2,!SSLv3'

This will add the lines:

smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3

in the /etc/postfix/main.cf file. Then run this command to apply the new configuration:

service postfix restart

 

Dovecot IMAP / POP3 server

Dovecot supports SSL protocol settings in version 2.1 and newer. So the first step is to find out which dovecot version you use. The command is:

dovecot --version

on my server I got the following result:

[email protected]:~# dovecot --version
2.1.7
[email protected]:~#

which indicates that my server supports ssl_protocol settings.

Edit the dovecot configuration file

nano /etc/dovecot/dovecot.conf

and add the line

ssl_protocols = !SSLv2 !SSLv3

right after the ssl_key line, so your file should look like this:


ssl_key = </etc/postfix/smtpd.key
ssl_protocols = !SSLv2 !SSLv3

and finally restart dovecot to apply the changes:

service dovecot restart

 

Courier POP3 / IMAP server

The courier imap and pop3 server offers connections over the SSLv3 protocol by default, so we have to reconfigure it as well. The courier configuration files are in the folder /etc/courier/. First we start with the config file of the IMAP daemon:

nano /etc/courier/imapd-ssl

Add or replace the following lines:

IMAPDSTARTTLS=YES
IMAP_TLS_REQUIRED=1
TLS_PROTOCOL=TLS1
TLS_STARTTLS_PROTOCOL=TLS1

Then edit the config file of the POP3 Daemon:

nano /etc/courier/pop3d-ssl

Add or replace the following lines:

POP3STARTTLS=YES
POP3_TLS_REQUIRED=1
TLS_PROTOCOL=TLS1
TLS_STARTTLS_PROTOCOL=TLS1

Finally restart the courier daemons:

service courier-imap-ssl restart
service courier-pop-ssl restart

 

FTP with pure-ftpd

Securing pure-ftpd on Debian and Ubuntu is a bit more complicated as the /usr/sbin/pure-ftpd-wrapper script from Debian does not support the -J switch whihc is used by pure-ftpd to set the ssl protocols. So the first step is that we add support for the -J option in the wrapper script. This will not work in Debian 6 as the pure-ftpd Version in Debian 6 is too old and does not has a setting for SSL protocols. So the only option for Debian 6 users will be to upgrade to Debian 7. Open the file

nano /usr/sbin/pure-ftpd-wrapper

and scroll down to the line

'TLS' => ['-Y %d', \&parse_number_1],

and add this new line right afterwards:

'TLSCipherSuite' => ['-J %s', \&parse_string],

Finally we create a config file which contains the SSL protocols that we want to allow:

echo 'HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3' > /etc/pure-ftpd/conf/TLSCipherSuite

to apply the changes, restart pure-ftpd. On my server, I use pure-ftpd with mysql, so the name of the daemon is pure-ftpd-mysql instead of just pure-ftpd.

service pure-ftpd-mysql restart

the result should be similar to this:

[email protected]:~# service pure-ftpd-mysql restart
Restarting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -Y 1 -8 UTF-8 -H -J HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3 -D -b -O clf:/var/log/pure-ftpd/transfer.log -E -u 1000 -A -B
[email protected]:~#

so the -J option has been added successfully to the start sequence of the daemon.

 

Share this page:

19 Comment(s)

Add comment

Comments

From: Anonymous

hi guys i apply this changes on my debian 7 (isp config 3.0.5.4p4) but now i dont login with filezilla in my ftp accounts. And i see this error in my isp panel status of services. Please help me.

FTP-Server:

Offline

 

From:

After a reboot, on all of them service runs correctly

From: Stefan

POP3DSSLSTART=NO and IMAPDSSLSTART=NO will actually disable the secure daemons completely! keep both on YES if you want to use those services.

From: ermanno

how about site/ssl generate? neet to switch all to sha-256. ispconfig3 (3.0.5p4) generate deprecated sha1

From: Ben

The article mentions mitigation in Dovecot >= 2.1 only. To mitigate the attack in Dovecot 2.0, edit /etc/dovecot/conf.d/10-ssl.conf and add the following line to the bottom: ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL Then, restart Dovecot with "service dovecot restart" (as root user -- or use "sudo" as appropriate).

From:

I think the correct is 

'TLSCipherSuite' => ['-j %s', \&parse_string],

 

not capital J. With capital in ubuntu gives an error

/usr/sbin/pure-ftpd-mysql-virtualchroot: invalid option -- 'J'
 

From:

The Option -j exists to create a homedir, it is not related to ssl. Maybe the pure-ftpd on your Server does not Support the -J Option yet. On Debian, were I tested the guide, the -J Option exists. From pure-ftpd manpage n Debian 7:

-J --tlsciphersuite

From:

I have to check. I have ubuntu..

 

From: admin

Run:

man pure-ftpd

to get the manpage. If it does not list -J Option on your Server, then this pure-ftpd Version does not support to restrict the SSL mode.

From:

It doesn't work on Debian 6 (Squeeze). The "-J" switch is missing.

From: A.Rehm

And what setting would be sufficient for courier?

From: Anonymous

I followed directions above but when I try to restart PURE FTP I get this

service pure-ftpd-mysql restart
Restarting ftp server: /usr/sbin/pure-ftpd-wrapper: Invalid configuration file /etc/pure-ftpd/conf/TLS: No corresponding directive

From: Anonymous

All works fine on Ubuntu 14.
 
 those having issues with ubuntu or debian,
 
do not remove:

'TLS' => ['-Y %d', \&parse_number_1],

 

Add the TLSCipherSuite right after TLS:

'TLSCipherSuite' => ['-J %s', \&parse_string],

 
For the person who posted about the -J command.
Ubuntu Man pages shows the -J as capitol for TLSCipher,
so its correct. (-j Smaller is for createhomedir)
 
I made the mistake of replacing the original TLS entry, with the TLSCipherSuite.
 
Results:
Restarting ftp server: /usr/sbin/pure-ftpd-wrapper: Invalid configuration file /etc/pure-ftpd/conf/TLSCipherSuite: No corresponding directive.
 
May be what happened to the 1st person who commented here.
 
Make sure you dont delete the TLS.
 
Thanks for this post OP. and Help this helps anyone else on Ubuntu.

From:

worked for me (Debian 7)

From: xciso

Hello. I did the changes above about Pure-FTP

My looks like this:

Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf - l pam -E -J HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3 -b -H -u 1000 -8 UTF-8 -O clf:/var/log/pure-ftpd/transfer.log -Y 1 -D -A -B

Is that ok?

From: admin

Thats ok, the important part is:

-J HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3

From: Jasper

I get this error when following the instruction for dovecot: Unknown setting: ssl_protocols. How to fix this? Thanks!

From: admin

Did you check the dovecot Version as described in the guide? Only dovecot 2.1 and newer supports SSL protocol Settings.

From: Przemek

After the security, Squirrelmail displays an error

Bad request: The IMAP server is reporting that plain text logins are disabled. Using CRAM-MD5 or DIGEST-MD5 authentication instead may work. Also, the use of TLS may allow SquirrelMail to login. Please contact your system administrator and report this error.

when I turn on the login TLS in SqMail config.php in

2.  Server Settings
A.  Update IMAP Settings   : localhost:143 (other)
7.  Secure IMAP (TLS)      : true

 I have nex error massage from SqMail

 Error connecting to IMAP server: tls://localhost.
0 :

 Before the security changes everything worked properly.