How to secure your ISPConfig 3 server against the poodle SSL attack
Version 1.2
Author: Till Brehm<t [dot] brehm [at] howtoforge [dot] com>
Published 2014-10-16
In the following guide I will describe the steps to secure your server against the recent poodle SSL attack. I will use a ISPConfig 3 perfect server on Debian 7 for my examples, but the same steps will work on any other Linux Distribution as well. A default ISPConfig hosting server runs the following services: Webserver (Nginx or apache), Mailserver (Postfix and Dovecot / Courier), FTP-Server (pure-ftpd) that offer SSL / TLS connections and are potential targets for a poodle attack.
I assume that you are logged into your server as root user. If you work on Ubuntu and are not logged in as root, then prepend "sudo" to all commands or run "sudo -" to become root user.
Apache Webserver
To secure an apache webserver, the line
SSLProtocol all -SSLv2 -SSLv3
has to be added in each SSL vhost on the server. If the SSLProtocol setting is not explicitly set in a vhost, then the global setting gets applied. In case of a ISPConfig 3 server, the SSLProtocol setting can be set globally as the vhosts dont override that setting. On a Debian or Ubuntu Server, open the file /etc/apache2/mods-available/ssl.conf in a editor
nano /etc/apache2/mods-available/ssl.conf
scroll down until you see the lines:
# enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
SSLProtocol all -SSLv2
and change them to:
# enable only secure protocols: but not SSLv2 and SSLv3
SSLProtocol all -SSLv2 -SSLv3
Then restart apache
service apache2 restart
Nginx Webserver
For an nginx webserver, the line
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
has to be added in each SSL server { } serction. If the SSLProtocol setting is not explicitly set in a server { } section, then the global setting of the http { } section get applied. In case of a ISPConfig 3 server, the SSLProtocol setting can be set globally in http { } section as the server { } sections dont override that setting. On a Debian or Ubuntu Server, open the file /etc/nginx/nginx.conf in a editor
nano /etc/nginx/nginx.conf
and add the line:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
after the line:
http {
then restart nginx:
service nginx restart
Postfix mail server
To force postfix to not supply the SSLv2 and SSLv3 protocol, run these commands:
postconf -e 'smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3'
postconf -e 'smtpd_tls_protocols=!SSLv2,!SSLv3'
postconf -e 'smtp_tls_protocols=!SSLv2,!SSLv3'
This will add the lines:
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
in the /etc/postfix/main.cf file. Then run this command to apply the new configuration:
service postfix restart
Dovecot IMAP / POP3 server
Dovecot supports SSL protocol settings in version 2.1 and newer. So the first step is to find out which dovecot version you use. The command is:
dovecot --version
on my server I got the following result:
root@server1:~# dovecot --version
2.1.7
root@server1:~#
which indicates that my server supports ssl_protocol settings.
Edit the dovecot configuration file
nano /etc/dovecot/dovecot.conf
and add the line
ssl_protocols = !SSLv2 !SSLv3
right after the ssl_key line, so your file should look like this:
ssl_key = </etc/postfix/smtpd.key
ssl_protocols = !SSLv2 !SSLv3
and finally restart dovecot to apply the changes:
service dovecot restart
Courier POP3 / IMAP server
The courier imap and pop3 server offers connections over the SSLv3 protocol by default, so we have to reconfigure it as well. The courier configuration files are in the folder /etc/courier/. First we start with the config file of the IMAP daemon:
nano /etc/courier/imapd-ssl
Add or replace the following lines:
IMAPDSTARTTLS=YES
IMAP_TLS_REQUIRED=1
TLS_PROTOCOL=TLS1
TLS_STARTTLS_PROTOCOL=TLS1
Then edit the config file of the POP3 Daemon:
nano /etc/courier/pop3d-ssl
Add or replace the following lines:
POP3STARTTLS=YES
POP3_TLS_REQUIRED=1
TLS_PROTOCOL=TLS1
TLS_STARTTLS_PROTOCOL=TLS1
Finally restart the courier daemons:
service courier-imap-ssl restart
service courier-pop-ssl restart
FTP with pure-ftpd
Securing pure-ftpd on Debian and Ubuntu is a bit more complicated as the /usr/sbin/pure-ftpd-wrapper script from Debian does not support the -J switch whihc is used by pure-ftpd to set the ssl protocols. So the first step is that we add support for the -J option in the wrapper script. This will not work in Debian 6 as the pure-ftpd Version in Debian 6 is too old and does not has a setting for SSL protocols. So the only option for Debian 6 users will be to upgrade to Debian 7. Open the file
nano /usr/sbin/pure-ftpd-wrapper
and scroll down to the line
'TLS' => ['-Y %d', \&parse_number_1],
and add this new line right afterwards:
'TLSCipherSuite' => ['-J %s', \&parse_string],
Finally we create a config file which contains the SSL protocols that we want to allow:
echo 'HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3' > /etc/pure-ftpd/conf/TLSCipherSuite
to apply the changes, restart pure-ftpd. On my server, I use pure-ftpd with mysql, so the name of the daemon is pure-ftpd-mysql instead of just pure-ftpd.
service pure-ftpd-mysql restart
the result should be similar to this:
root@server1:~# service pure-ftpd-mysql restart
Restarting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -Y 1 -8 UTF-8 -H -J HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3 -D -b -O clf:/var/log/pure-ftpd/transfer.log -E -u 1000 -A -B
root@server1:~#
so the -J option has been added successfully to the start sequence of the daemon.