How to secure your ISPConfig 3 server against the poodle SSL attack

Version 1.1 
Author: Till Brehm<t [dot] brehm [at] howtoforge [dot] com> 
 Follow howtoforge on Twitter
Published   2014-10-16
Last edited 2014-10-17

In the following guide I will describe the steps to secure your server against the recent poodle SSL attack. I will use a ISPConfig 3 perfect server on Debian 7 for my examples, but the same steps will work on any other Linux Distribution as well. A default ISPConfig hosting server runs the following services: Webserver (Nginx or apache), Mailserver (Postfix and Dovecot / Courier), FTP-Server (pure-ftpd) that offer SSL / TLS connections and are potential targets for a poodle attack.

I assume that you are logged into your server as root user. If you work on Ubuntu and are not logged in as root, then prepend "sudo" to all commands or run "sudo -" to become root user.

Apache Webserver

To secure an apache webserver, the line

SSLProtocol all -SSLv2 -SSLv3

has to be added in each SSL vhost on the server. If the SSLProtocol setting is not explicitly set in a vhost, then the global setting gets applied. In case of a ISPConfig 3 server, the SSLProtocol setting can be set globally as the vhosts dont override that setting. On a Debian or Ubuntu Server, open the file /etc/apache2/mods-available/ssl.conf in a editor

nano /etc/apache2/mods-available/ssl.conf

scroll down until you see the lines:

# enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
SSLProtocol all -SSLv2

and change them to:

# enable only secure protocols: but not SSLv2 and SSLv3
SSLProtocol all -SSLv2 -SSLv3

Then restart apache

service apache2 restart

Nginx Webserver

For an nginx webserver, the line

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

has to be added in each SSL server { } serction. If the SSLProtocol setting is not explicitly set in a server { } section, then the global setting of the http { } section get applied. In case of a ISPConfig 3 server, the SSLProtocol setting can be set globally in http { } section as the server { } sections dont override that setting. On a Debian or Ubuntu Server, open the file /etc/nginx/nginx.conf in a editor

nano /etc/nginx/nginx.conf

and add the line:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

after the line:

http {

then restart nginx:

service nginx restart

Postfix mail server

To force postfix to not supply the SSLv2 and SSLv3 protocol, run these commands:

postconf -e 'smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3'
postconf -e 'smtpd_tls_protocols=!SSLv2,!SSLv3'
postconf -e 'smtp_tls_protocols=!SSLv2,!SSLv3'

This will add the lines:

smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3

in the /etc/postfix/main.cf file. Then run this command to apply the new configuration:

service postfix restart

Dovecot IMAP / POP3 server

Dovecot supports SSL protocol settings in version 2.1 and newer. So the first step is to find out which dovecot version you use. The command is:

dovecot --version

on my server I got the following result:

root@server1:~# dovecot --version
2.1.7
root@server1:~#

which indicates that my server supports ssl_protocol settings.

Edit the dovecot configuration file

nano /etc/dovecot/dovecot.conf

and add the line

ssl_protocols = !SSLv2 !SSLv3

right after the ssl_key line, so your file should look like this:

ssl_key = </etc/postfix/smtpd.key
ssl_protocols = !SSLv2 !SSLv3

and finally restart dovecot to apply the changes:

service dovecot restart

Courier POP3 / IMAP server

The courier imap and pop3 server offers connections over the SSLv3 protocol by default, so we have to reconfigure it as well. The courier configuration files are in the folder /etc/courier/. First we start with the config file of the IMAP daemon:

nano /etc/courier/imapd-ssl

Add or replace the following lines:

IMAPDSSLSTART=NO
IMAPDSTARTTLS=YES
IMAP_TLS_REQUIRED=1
TLS_PROTOCOL=TLS1
TLS_STARTTLS_PROTOCOL=TLS1

Then edit the config file of the POP3 Daemon:

nano /etc/courier/pop3d-ssl

Add or replace the following lines:

POP3DSSLSTART=NO
POP3STARTTLS=YES
POP3_TLS_REQUIRED=1
TLS_PROTOCOL=TLS1
TLS_STARTTLS_PROTOCOL=TLS1

Finally restart the courier daemons:

service courier-imap-ssl restart
service courier-pop-ssl restart

FTP with pure-ftpd

Securing pure-ftpd on Debian and Ubuntu is a bit more complicated as the /usr/sbin/pure-ftpd-wrapper script from Debian does not support the -J switch whihc is used by pure-ftpd to set the ssl protocols. So the first step is that we add support for the -J option in the wrapper script. This will not work in Debian 6 as the pure-ftpd Version in Debian 6 is too old and does not has a setting for SSL protocols. So the only option for Debian 6 users will be to upgrade to Debian 7. Open the file

nano /usr/sbin/pure-ftpd-wrapper

and scroll down to the line

'TLS' => ['-Y %d', \&parse_number_1],

and add this new line right afterwards:

'TLSCipherSuite' => ['-J %s', \&parse_string],

Finally we create a config file which contains the SSL protocols that we want to allow:

echo 'HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3' > /etc/pure-ftpd/conf/TLSCipherSuite

to apply the changes, restart pure-ftpd. On my server, I use pure-ftpd with mysql, so the name of the daemon is pure-ftpd-mysql instead of just pure-ftpd.

service pure-ftpd-mysql restart

the result should be similar to this:

root@server1:~# service pure-ftpd-mysql restart
Restarting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -Y 1 -8 UTF-8 -H -J HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3 -D -b -O clf:/var/log/pure-ftpd/transfer.log -E -u 1000 -A -B
root@server1:~#

so the -J option has been added successfully to the start sequence of the daemon.

Links

• SSL poodle attack
• ISPConfig