• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Please beaware of a breaking change in the REST API on the next Plesk release (18.0.62).
    Starting from Plesk Obsidian 18.0.62, requests to REST API containing the Content-Type header with a media-type directive other than “application/json” will result in the HTTP “415 Unsupported Media Type” client error response code. Read more here

Issue I lost access to control panel

behrouz

behrouz

New Pleskian
hi

I ran this file on the server to solve probable SSL problems. (The file that is mentioned in this address). Now I lost access to control panel. please help me.
https://support.plesk.com/hc/en-us/articles/213950205

how can i restore the backups that the patch file has created


//The page that suggested the patch file was removed after reporting the problem to plesk!!!!
file: http://buralan.com/upload/SSLfix.zip

screenshot.png
 
@Integrator

this patch contains these settings, i managed to roll back some of them. but still i can't access my panel


Code: 
#!/bin/sh
# -*- vim:ft=sh
# rev. 0.1 
die()
{
    echo "$*"
    exit 1
}

service_restart()
{
    cmd="$1"
    need_restart="$2"
    [ "$need_restart" = "1" ] && $cmd >/dev/null 2>&1
}

get_os()
{
    if [ -e '/etc/debian_version' ]; then
        if [ -e '/etc/lsb-release' ]; then
            # Mostly ubuntu, but debian can have it
            . /etc/lsb-release
            os_name=$DISTRIB_ID
        else
            os_name='Debian'
        fi
        pkgtype="deb"
    elif [ -e '/etc/SuSE-release' ]; then
        os_name='SuSE'
        pkgtype="rpm"
    elif [ -e '/etc/redhat-release' ]; then
        os_name=`awk '{print $1}' /etc/redhat-release`
        pkgtype="rpm"
    else
        die "Unable to detect the operating system."
    fi

    [ -n "$os_name" ]    || die "Unable to detect the operating system."
}

do_backup()
{
    local cfg="$1"
    local bkp_cfg="${cfg}_ssl_${module_prefix}.bak"
    echo "Backing up $cfg to $bkp_cfg"
    cp --backup=numbered -f $cfg $bkp_cfg
}

set_value()
{
        local variable="$1"
        local value="$2"
        local delimiter="$3"
        local quote="${4:-\\\"}"
        local config="$5"

        grep -q "^[[:space:]]*$variable" $config
        if [ $? -eq 0 ]; then
                sed -i -e "s|^[[:space:]]*${variable}.*|${variable}${delimiter}${quote}${value}${quote}|g" $config
                return 0
        else
                echo "${variable}${delimiter}${quote}${value}${quote}" >> $config
        fi
        return 0
}

is_function()
{
        local type_output="`LANG=C LC_ALL=C LC_MESSAGES=C type \"$1\" 2>/dev/null | head -n 1`"
        case "$type_output" in
                *function) return 0 ;;
        esac
        return 1
}

set_apache_params()
{
        case $os_name in
        CentOS*|RedHat*|Cloud*)
                apache_d="/etc/httpd"
                apache_conf_d="$apache_d/conf.d"
                service_cmd="service httpd restart"
                apache_version_str="`httpd -v | awk '/Server version/ {print $3}'`"
        ;;
        SuSE*)
                apache_d="/etc/apache2"
                apache_conf_d="$apache_d/vhosts.d"
                service_cmd="service apache2 restart"
                apache_version_str="`apache2 -v | awk '/Server version/ {print $3}'`"
        ;;
        Debian*|Ubuntu*)
                apache_d="/etc/apache2"
                for dir in mods-enabled conf-enabled conf.d; do
                        [ -d "$apache_d/$dir" ] && apache_conf_d="$apache_d/$dir" && break
                        apache_conf_d=""
                done
                service_cmd="/etc/init.d/apache2 restart"
                apache_version_str="`apache2 -v | awk '/Server version/ {print $3}'`"
        ;;
        *)
                die "Unable to define apache SSL config file"
        ;;
        esac

        apache_version_major="`echo $apache_version_str | awk -F '.' '{print $2}'`"
        apache_version_minor="`echo $apache_version_str | awk -F '.' '{print $3}'`"
        apache_cfg="$apache_conf_d/ssl.conf"
}
 
AND

Code: 
get_courier_version()
{
        courier_version="`imapd --version | awk '{print $2}' | awk -F '/' '{print $1}'`"
        courier_major_version="`echo $courier_version | awk -F '.' '{print $1}'`"
        courier_minor_version="`echo $courier_version | awk -F '.' '{print $2}'`"
}

get_product_version()
{
        product_version="`cat /usr/local/psa/version`"
        product_major_version="`echo $product_version | awk -F '.' '{print $1}'`"
}

get_openssl_version()
{
        openssl_version="`openssl version | awk '{print $2}' | sed 's|^\([[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*\).*$|\1|'`"
        openssl_major_version="`echo $openssl_version | awk -F '.' '{print $1}'`"
        openssl_minor_version="`echo $openssl_version | awk -F '.' '{print $2}'`"
        openssl_revision_version="`echo $openssl_version | awk -F '.' '{print $3}'`"
}

is_tls_new()
{
get_openssl_version

if [ "$openssl_major_version" -ge 1 -a "$openssl_minor_version" -ge 0 -a "$openssl_revision_version" -ge 1 -o "$openssl_minor_version" -ge 1 -a "$openssl_revision_version" -ge 0 ]; then
    echo "true"

fi
}


get_dovecot_version()
{
        dovecot_version="`dovecot --version`"
        dovecot_major_version="`echo $dovecot_version | awk -F '.' '{print $1$2}'`"
        dovecot_minor_version="`echo $dovecot_version | awk -F '.' '{print $3}'`"
}

# -*- vim:ft=sh

set_v3_params()
{
    module_prefix="v3"
    description="Processing the SSLv3 POODLE vulnerability."
}

fix_apache_v3()
{
        echo "---> Fix SSL configuration for apache web server..."
        set_apache_params
        do_backup $apache_cfg
        set_value "SSLHonorCipherOrder" "On" " " " " $apache_cfg
        set_value "SSLProtocol" "all -SSLv2 -SSLv3" " " " " $apache_cfg

        service_restart "$service_cmd" "1"
}

fix_nginx_v3_old()
{
    echo "---> Fix SSL configuration for nginx web server..."

    nginx_pool_d="/etc/nginx/plesk.conf.d"
    vhost_cfg_default_d="$psa_d/admin/conf/templates/default"
    vhost_cfg_custom_d="$psa_d/admin/conf/templates/custom"

    ssl_cfg_list="
        /etc/nginx/plesk.conf.d/webmail.conf
        /etc/nginx/plesk.conf.d/server.conf
        $psa_d/admin/conf/templates/default/nginxWebmailPartial.php
        $psa_d/admin/conf/templates/default/domain/nginxDomainVirtualHost.php
        $psa_d/admin/conf/templates/default/server/nginxVhosts.php
    "

    flag=0
    for cfg in $ssl_cfg_list; do
        [ -f "$cfg" ] || continue

        dst_cfg="$cfg"
        if [ -n "`echo $cfg | grep $vhost_cfg_default_d`" ]; then
                dst_cfg="`echo $cfg | sed -e \"s|$vhost_cfg_default_d|$vhost_cfg_custom_d|\"`"
                mkdir -p ${dst_cfg%/*}
                cp $cfg $dst_cfg
        else
                do_backup $dst_cfg
        fi
        sed -i -e "s|^\([[:space:]]*ssl_protocols\).*|\1                TLSv1 TLSv1.1 TLSv1.2;|" $dst_cfg
        flag=1
    done

    [ $flag -eq 0 ] || $psa_d/admin/bin/httpdmng --reconfigure-all

    case $os_name in
        Debian*|Ubuntu*) service_cmd="/etc/init.d/nginx restart" ;;
        *) service_cmd="service nginx restart" ;;
    esac

    service_restart "$service_cmd" "1"
}

fix_nginx_v3()
{
    echo "---> Fix SSL configuration for nginx web server..."
    mysql -uadmin -p`cat /etc/psa/.psa.shadow` psa -e"REPLACE INTO misc VALUES('disablesslv3','true');"

   $psa_d/admin/bin/httpdmng --reconfigure-all

   case $os_name in
        Debian*|Ubuntu*) service_cmd="/etc/init.d/nginx restart" ;;
        *) service_cmd="service nginx restart" ;;
    esac

   service_restart "$service_cmd" "1"

}

fix_postfix_v3()
{
        echo "---> Fix SSL configuration for postfix mail server..."

        [ -f "/etc/postfix/main.cf" ] || return 0
        do_backup /etc/postfix/main.cf

        #options="smtpd_tls_mandatory_protocols tls_low_cipherlist tls_medium_cipherlist tls_high_cipherlist tls_null_cipherlist"
        options="smtpd_tls_mandatory_protocols"

        flag=0
        for opt in $options; do
                protocols="`postconf $opt | awk -F '=' '{print $2}'`"
                echo $protocols | grep -q '!SSLv3'
                if [ $? -ne 0 ]; then
                        postconf ${opt}="${protocols}:!SSLv3"
                        flag=1
                fi
        done

        case $os_name in
        Debian*|Ubuntu*) service_restart "/etc/init.d/postfix restart" "1" ;;
        *) service_restart "service postfix restart" "1" ;;
        esac
}
 
AND

Code: 
fix_courier_v3()
{
        echo "---> Fix SSL accessible protocols for courier-imap mail server"

        cfg_list="/etc/courier-imap/imapd-ssl /etc/courier-imap/pop3d-ssl"

        flag=0
        for cfg in $cfg_list; do
                [ -f "$cfg" ] || continue

                do_backup $cfg

                flag=1
                set_value "TLS_PROTOCOL" "TLSv1+" "=" "" $cfg
        done

        case $os_name in
        Debian*|Ubuntu*)
                service_restart "/etc/init.d/courier-imaps restart" "$flag"
                service_restart "/etc/init.d/courier-pop3s restart" "$flag"
                service_restart "/etc/init.d/courier-imapd restart" "$flag"
        ;;
        *)
                service_restart "service courier-imaps restart" "$flag"
                service_restart "service courier-pop3s restart" "$flag"
                service_restart "service courier-imapd restart" "$flag"
        ;;
        esac
}

fix_dovecot_v3()
{
        echo "---> Fix SSL accessible protocols for dovecot mail server"

        #cfg_list="/etc/dovecot/conf.d/10-plesk-security.conf /etc/dovecot/conf.d/11-plesk-security-pci.conf"
        cfg_list="/etc/dovecot/conf.d/10-plesk-security.conf"

        flag=0
        for cfg in $cfg_list; do
                [ -f "$cfg" ] || continue
                do_backup $cfg
                flag=1
                set_value "ssl_protocols" "!SSLv2 !SSLv3" "=" " " $cfg
        done

        case $os_name in
        Debian*|Ubuntu*) service_cmd="/etc/init.d/dovecot restart" ;;
        *) service_cmd="service dovecot restart" ;;
        esac
        service_restart "$service_cmd" "$flag"
}

fix_proftpd_v3()
{
        echo "---> Disable SSLv3 for FTP service"

        if [ ! -d "/etc/proftpd.d/" ]; then
                mkdir -p /etc/proftpd.d/
                echo "Include /etc/proftpd.d" >> /etc/proftpd.conf
        fi

        cfg="/etc/proftpd.d/60-nosslv3.conf"
        if [ -f "$cfg" ]; then
            do_backup $cfg
        fi

    if [ "$is_tls_new" = 'True' ]; then
        echo "<Global>" >$cfg
        echo "<IfModule mod_tls.c>" >>$cfg
        echo "TLSProtocol TLSv1 TLSv1.1 TLSv1.2" >>$cfg
        echo "TLSCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" >>$cfg
        echo "</IfModule>" >> $cfg
        echo "</Global>" >> $cfg
    else
        echo "<IfModule mod_tls.c>" >>$cfg
        echo "TLSProtocol SSLv23" >>$cfg
        echo "TLSCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" >>$cfg
        echo "</IfModule>" >> $cfg
    fi 
}

fix_cp_server_v3()
{
    echo "---> Fix Plesk Panel web service"

    cfg="/etc/sw-cp-server/conf.d/pci-compliance.conf"

    if [ -f "$cfg" ]; then
        do_backup $cfg

        grep -q "^[[:space:]]*ssl_protocols" $cfg
        if [ $? -eq 0 ]; then
                sed -i -e "s|^\([[:space:]]*ssl_protocols\).*|\1                TLSv1 TLSv1.1 TLSv1.2;|" $cfg
        else
                echo  "ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;" >> $cfg
        fi
    else
        echo  "ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;" >> $cfg
        echo  "ssl_ciphers                 HIGH:!aNULL:!MD5;" >> $cfg
        echo  "ssl_prefer_server_ciphers   on;" >> $cfg
    fi

    service_restart "/etc/init.d/sw-cp-server restart" "1"
}

fix_qmail_v3()
{
    echo "---> Disable SSLv3 in Qmail MTA"
    cfg="/var/qmail/control/tlsserverciphers"
    [ -d "/var/qmail/control" ] || return 0
    if [ -f "$cfg" ]; then
        do_backup $cfg
    fi
    echo "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" > $cfg
}


# -*- vim:ft=sh

# https://www.howtoforge.com/tutorial/how-to-protect-your-debian-and-ubuntu-server-against-the-logjam-attack/
# https://www.8px.pl/linux-debian-ununtu-ochrona-przed-logjam-nginx-apache-postfix/

# Checking guide:
# http://security.stackexchange.com/questions/89773/how-to-check-if-a-server-is-not-vulnerable-to-logjam

set_dh_params()
{
        module_prefix="dh"
        dh_certfile="/usr/local/psa/etc/dhkey.pem"
        description="Processing the Diffie-Hellman vulnerability."
}

dh_prepare()
{
        create_dhkey
}

create_dhkey()
{
        [ -f "$dh_certfile" ] && return

        curdir="`pwd`"
        cd ${dh_certfile%/*}
        dd if=/dev/urandom of=dhparams.rand.tmp count=1 2>/dev/null
        openssl dhparam -rand dhparams.rand.tmp -out ${dh_certfile##*/} 2048
        rm -f /usr/share/dhparams.rand.tmp
        chown root:root $dh_certfile
        chmod 0644 $dh_certfile
        cd $curdir
}

fix_apache_dh()
{
        # Taken from:
        # http://serverfault.com/questions/693241/how-to-fix-logjam-vulnerability-in-apache-httpd

        echo "---> Fix SSL configuration for apache web server..."

        set_apache_params
        get_openssl_version
        do_backup $apache_cfg

        # Add new parameter in config file for apache >= 2.4.8 and openssl >= 1.0.2
        if [ "$apache_version_major" -ge 4 -a "$apache_version_minor" -ge 8 -a "$openssl_major_version" -ge 1 -a "$openssl_revision_version" -ge 2 ]; then
                set_value "SSLOpenSSLConfCmd" "DHParameters \"$dh_certfile\"" " " " " $apache_cfg
        fi

        # Add Ciphers list for old apache versions
        set_value "SSLCipherSuite" "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" " " " " $apache_cfg

        service_restart "$service_cmd" "1"
}
 
AND

Code: 
fix_nginx_dh()
{
    echo "---> Fix SSL configuration for nginx web server..."

    nginx_pool_d="/etc/nginx/plesk.conf.d"
    vhost_cfg_default_d="$psa_d/admin/conf/templates/default"
    vhost_cfg_custom_d="$psa_d/admin/conf/templates/custom"

    ssl_cfg_list="
    /etc/nginx/plesk.conf.d/webmail.conf
    /etc/nginx/plesk.conf.d/server.conf
    $psa_d/admin/conf/templates/default/nginxWebmailPartial.php
    $psa_d/admin/conf/templates/default/domain/nginxDomainVirtualHost.php
    $psa_d/admin/conf/templates/default/server/nginxVhosts.php
    "
    custom_cfg_list="
    $vhost_cfg_custom_d/nginxWebmailPartial.php
    $vhost_cfg_custom_d/domain/nginxDomainVirtualHost.php
    $vhost_cfg_custom_d/server/nginxVhosts.php
    "

    flag=0
    
    for dst_list in $custom_cfg_list; do
        if [ -f $dst_list ]; then
            do_backup $dst_list
        fi
    done
    for cfg in $ssl_cfg_list; do
        [ -f "$cfg" ] || continue

        dst_cfg="$cfg"
        if [ -n "`echo $cfg | grep $vhost_cfg_default_d`" ]; then
                dst_cfg="`echo $cfg | sed -e \"s|$vhost_cfg_default_d|$vhost_cfg_custom_d|\"`"
                mkdir -p ${dst_cfg%/*}
                cp $cfg $dst_cfg
        else
                do_backup $dst_cfg
        fi
        exists="`cat $dst_cfg | grep  'ssl_dhparam'`"
        if [ -n "$exists" ]; then
                sed -i -e "s|^\([[:space:]]*\)\(ssl_dhparam.*\)$|\1ssl_dhparam          ${dh_certfile};|" $dst_cfg
        else
                sed -i -e "s|^\([[:space:]]*\)\(ssl_protocols.*\)$|\1\2\n\1ssl_dhparam          ${dh_certfile};|" $dst_cfg
        fi
        flag=1
    done

    [ $flag -eq 0 ] || $psa_d/admin/bin/httpdmng --reconfigure-all

    case $os_name in
        Debian*|Ubuntu*) service_cmd="/etc/init.d/nginx restart" ;;
        *) service_cmd="service nginx restart" ;;
    esac

    service_restart "$service_cmd" "1"
}

fix_postfix_dh()
{
        echo "---> Fix SSL configuration for postfix mail server..."

        [ -f "/etc/postfix/main.cf" ] || return 0
        do_backup /etc/postfix/main.cf

        postconf smtpd_tls_mandatory_exclude_ciphers="aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA"
        postconf smtpd_tls_dh1024_param_file="$dh_certfile"

        case $os_name in
        Debian*|Ubuntu*) service_restart "/etc/init.d/postfix restart" "1" ;;
        *) service_restart "service postfix restart" "1" ;;
        esac
}

fix_courier_dh()
{
        echo "---> Fix SSL accessible protocols for courier-imap mail server"

        cfg_list="/etc/courier-imap/imapd-ssl /etc/courier-imap/pop3d-ssl"

        get_courier_version

        flag=0
        for cfg in $cfg_list; do
                [ -f "$cfg" ] || continue
                if [ "$courier_major_version" -ge 4 -a "$courier_minor_version" -ge 15 ]; then
                        do_backup $cfg
                        set_value "TLS_DHPARAMS" "${dh_certfile}" "=" "" $cfg
                        flag=1
                fi
         done

         [ -f "/usr/sbin/mkdhparams" ] ||return 0
            do_backup /usr/sbin/mkdhparams

            sed -i s,BITS=768,BITS=2048,g /usr/sbin/mkdhparams
            sed -i /"chmod 600"/d /usr/sbin/mkdhparams

        case $os_name in
        Debian*|Ubuntu*)
                service_restart "/etc/init.d/courier-imaps restart" "$flag"
                service_restart "/etc/init.d/courier-pop3s restart" "$flag"
                service_restart "/etc/init.d/courier-imapd restart" "$flag"
        ;;
        *)
                service_restart "service courier-imaps restart" "$flag"
                service_restart "service courier-pop3s restart" "$flag"
                service_restart "service courier-imapd restart" "$flag"
        ;;
        esac
}

fix_dovecot_dh()
{
        which dovecot 1>/dev/null 2>&1 || return

        echo "---> Fix SSL accessible protocols for dovecot mail server"

        get_dovecot_version

        #cfg_list="/etc/dovecot/conf.d/10-plesk-security.conf /etc/dovecot/conf.d/11-plesk-security-pci.conf"
        cfg_list="/etc/dovecot/conf.d/10-plesk-security.conf"

        flag=0
        for cfg in $cfg_list; do
                [ -f "$cfg" ] || continue
                do_backup $cfg
                flag=1
                set_value "ssl_cipher_list" "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" "=" " " $cfg
                if [ "$dovecot_major_version" -ge "22" ]; then
                        if [ "$dovecot_minor_version" -ge "6" ]; then
                                set_value "ssl_prefer_server_ciphers" "yes" "=" " " $cfg
                        fi

                        if [ "$dovecot_minor_version" -ge "7" ]; then
                                set_value "ssl_dh_parameters_length" "2048" "=" " " $cfg
                        fi
                fi
        done

        case $os_name in
        Debian*|Ubuntu*) service_cmd="/etc/init.d/dovecot restart" ;;
        *) service_cmd="service dovecot restart" ;;
        esac
        service_restart "$service_cmd" "$flag"
}

# Add new parameter in config file for proftp if openssl >= 1.0.1
get_openssl_version

if [ "$openssl_major_version" -ge 1 -a "$openssl_minor_version" -ge 0 -a "$openssl_revision_version" -ge 1 ]; then

fix_proftpd_dh()
{
        echo "---> Fix SSLv3(DH) for FTP service"

        cfg="/etc/proftpd.d/60-nosslv3.conf"
        ciphers="ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
      
       if [ -f "$cfg" ]; then
        do_backup $cfg
       fi

        if [ ! -f "$cfg" ]; then
                echo "<Global>" > $cfg
                echo "<IfModule mod_tls.c>" >> $cfg
                echo "TLSProtocol TLSv1 TLSv1.1 TLSv1.2" >> $cfg
                echo "TLSCipherSuite $ciphers" >> $cfg
                echo "TLSDHParamFile  ${dh_certfile}" >> $cfg
                echo "</IfModule>" >> $cfg
                echo "</Global>" >> $cfg
                return
        fi

        if grep -q "^[[:space:]]*TLSCipherSuite" $cfg; then
                sed -i -e "s|^\([[:space:]]*\)\(TLSCipherSuite.*\)$|\1TLSCipherSuite ${ciphers}|" $cfg
        else
                sed -i -e "s|^\([[:space:]]*\)\(TLSProtocol.*\)$|\1\2\n\1TLSCipherSuite ${ciphers}|" $cfg
        fi

        if ! grep -q "^[[:space:]]*TLSDHParamFile" $cfg; then
                sed -i -e "s|^\([[:space:]]*\)\(TLSProtocol.*\)$|\1\2\n\1TLSDHParamFile ${dh_certfile}|" $cfg
        fi
}
fi
 
AND

Code: 
fix_cp_server_dh()
{
        echo "---> Fix Plesk Panel web service"

        get_product_version

        # Fix cp-server (lighthttpd)
        if [ "$product_major_version" -eq 11 ]; then
                cfg="/usr/local/psa/admin/conf/ssl-conf.sh"
                cfile="/usr/local/psa/admin/conf/cipher.lst"
                ciphers="ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
                echo "$ciphers" > $cfile
                
        if [ -f "$cfg" ]; then
            do_backup $cfg
        fi
                if grep -q "^[[:space:]]*.*ssl\.dh-file" $cfg; then
                        sed -i -e "s|^\([[:space:]]*\)\(.*ssl\.dh-file.*\)$|\1ssl.dh-file = \"${dh_certfile}\"\'|" $cfg
                else
                        sed -i -e "s|^\([[:space:]]*\)\(.*ssl\.engine.*\)$|\1\2\n\1echo \'ssl.dh-file = \"${dh_certfile}\"\'|" $cfg
                fi
                $cfg
        else
                # Fix cp-server (nginx)
                cfg="/etc/sw-cp-server/conf.d/pci-compliance.conf"

                if [ -f "$cfg" ]; then
                        do_backup $cfg

                        if grep -q "^[[:space:]]*ssl_dhparam" $cfg; then
                                sed -i -e "s|^\([[:space:]]*\)\(ssl_dhparam.*\)$|\1ssl_dhparam          ${dh_certfile};|" $cfg
                        else
                                echo "ssl_dhparam               ${dh_certfile};" >> $cfg
                        fi
                else
                        echo  "ssl_protocols    TLSv1 TLSv1.1 TLSv1.2;" >> $cfg
                        echo  "ssl_ciphers              HIGH:!aNULL:!MD5;" >> $cfg
                        echo  "ssl_prefer_server_ciphers on;" >> $cfg
                        echo  "ssl_dhparam              ${dh_certfile};" >> $cfg
                fi
        fi

        service_restart "/etc/init.d/sw-cp-server restart" "1"
}

fix_qmail_dh()
{
    echo "---> Disable SSLv3 in Qmail MTA"
    cfg="/var/qmail/control/tlsserverciphers"
    [ -d "/var/qmail/control" ] || return 0
    if [ -f "$cfg" ]; then
        do_backup $cfg
    fi
    echo "ALL:!ADH:!LOW:!SSLv2:!SSLv3:!EXP:+HIGH:+MEDIUM" > $cfg
}


# -*- vim:ft=sh

export LANG="C"
export LC_ALL="C"

mode="$1"
service="$2"

psa_d="/usr/local/psa"
services="apache nginx postfix courier dovecot proftpd cp_server qmail"
modules="v3 dh"

usage()
{
        echo "USAGE: $0 [mode [service]]"
        for mode in $modules; do
                set_${mode}_params
                echo "       $0 $mode [service] '$description'"
        done
        echo ""
        echo "SERVICES:"
        for service in $services; do
                echo "        $service"
        done
        exit 0
}

[ "$mode" = "help" ] && usage

get_os

[ -n "$mode" ] && modules="$mode"

flag=0
for module in $modules; do
        if is_function set_${module}_params; then
                set_${module}_params
                echo ""
                echo "${description}.."
        fi

        is_function ${module}_prepare && ${module}_prepare

        for mod in $services; do
                if [ -n "$service" ]; then
                        if [ "$service" = "$mod" ]; then
                                if is_function fix_${mod}_${module}; then
                                        fix_${mod}_${module}; flag=1; break
                                fi
                        fi
                        continue
                fi
                if is_function fix_${mod}_${module}; then
                        fix_${mod}_${module}; flag=1
                fi
        done
done

[ $flag -eq 0 ] && usage

exit 0
 
You must log in or register to reply here.

Similar threads

C
Resolved Plesk Obsidian Version 18.0.56 Update #4 on Ubuntu 22.04.3 LTS ModSecurity upload error on WordPress
Replies
1
Views
765
copec
C
kaw.one
Question (VPS) Cloudflare, Gmail and Other Plesk Panel 8443 (2 minutes - slow read)
Replies
1
Views
723
kaw.one
kaw.one
J
Resolved Can't login at Plesk admin panel (Plesk Onyx 17.0.17)
Replies
6
Views
9K
JVG
J
J
Issue Drweb won't start in new Debian12 installation
Replies
4
Views
424
Peter Debik
P
V
Issue RoundCube error : Oops... something went wrong!
Replies
2
Views
2K
Peter Debik
P
Back
Top