• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Inviting everyone to the UX test of a new security feature in the WP Toolkit
    For WordPress site owners, threats posed by hackers are ever-present. Because of this, we are developing a new security feature for the WP Toolkit. If the topic of WordPress website security is relevant to you, we would be grateful if you could share your experience and help us test the usability of this feature. We invite you to join us for a 1-hour online session via Google Meet. Select a convenient meeting time with our friendly UX staff here.

Issue I lost access to control panel

behrouz

behrouz

New Pleskian
hi

I ran this file on the server to solve probable SSL problems. (The file that is mentioned in this address). Now I lost access to control panel. please help me.
https://support.plesk.com/hc/en-us/articles/213950205

how can i restore the backups that the patch file has created


//The page that suggested the patch file was removed after reporting the problem to plesk!!!!
file: http://buralan.com/upload/SSLfix.zip

screenshot.png
 
@Integrator

this patch contains these settings, i managed to roll back some of them. but still i can't access my panel


Code: 
#!/bin/sh
# -*- vim:ft=sh
# rev. 0.1 
die()
{
    echo "$*"
    exit 1
}

service_restart()
{
    cmd="$1"
    need_restart="$2"
    [ "$need_restart" = "1" ] && $cmd >/dev/null 2>&1
}

get_os()
{
    if [ -e '/etc/debian_version' ]; then
        if [ -e '/etc/lsb-release' ]; then
            # Mostly ubuntu, but debian can have it
            . /etc/lsb-release
            os_name=$DISTRIB_ID
        else
            os_name='Debian'
        fi
        pkgtype="deb"
    elif [ -e '/etc/SuSE-release' ]; then
        os_name='SuSE'
        pkgtype="rpm"
    elif [ -e '/etc/redhat-release' ]; then
        os_name=`awk '{print $1}' /etc/redhat-release`
        pkgtype="rpm"
    else
        die "Unable to detect the operating system."
    fi

    [ -n "$os_name" ]    || die "Unable to detect the operating system."
}

do_backup()
{
    local cfg="$1"
    local bkp_cfg="${cfg}_ssl_${module_prefix}.bak"
    echo "Backing up $cfg to $bkp_cfg"
    cp --backup=numbered -f $cfg $bkp_cfg
}

set_value()
{
        local variable="$1"
        local value="$2"
        local delimiter="$3"
        local quote="${4:-\\\"}"
        local config="$5"

        grep -q "^[[:space:]]*$variable" $config
        if [ $? -eq 0 ]; then
                sed -i -e "s|^[[:space:]]*${variable}.*|${variable}${delimiter}${quote}${value}${quote}|g" $config
                return 0
        else
                echo "${variable}${delimiter}${quote}${value}${quote}" >> $config
        fi
        return 0
}

is_function()
{
        local type_output="`LANG=C LC_ALL=C LC_MESSAGES=C type \"$1\" 2>/dev/null | head -n 1`"
        case "$type_output" in
                *function) return 0 ;;
        esac
        return 1
}

set_apache_params()
{
        case $os_name in
        CentOS*|RedHat*|Cloud*)
                apache_d="/etc/httpd"
                apache_conf_d="$apache_d/conf.d"
                service_cmd="service httpd restart"
                apache_version_str="`httpd -v | awk '/Server version/ {print $3}'`"
        ;;
        SuSE*)
                apache_d="/etc/apache2"
                apache_conf_d="$apache_d/vhosts.d"
                service_cmd="service apache2 restart"
                apache_version_str="`apache2 -v | awk '/Server version/ {print $3}'`"
        ;;
        Debian*|Ubuntu*)
                apache_d="/etc/apache2"
                for dir in mods-enabled conf-enabled conf.d; do
                        [ -d "$apache_d/$dir" ] && apache_conf_d="$apache_d/$dir" && break
                        apache_conf_d=""
                done
                service_cmd="/etc/init.d/apache2 restart"
                apache_version_str="`apache2 -v | awk '/Server version/ {print $3}'`"
        ;;
        *)
                die "Unable to define apache SSL config file"
        ;;
        esac

        apache_version_major="`echo $apache_version_str | awk -F '.' '{print $2}'`"
        apache_version_minor="`echo $apache_version_str | awk -F '.' '{print $3}'`"
        apache_cfg="$apache_conf_d/ssl.conf"
}
 
AND

Code: 
get_courier_version()
{
        courier_version="`imapd --version | awk '{print $2}' | awk -F '/' '{print $1}'`"
        courier_major_version="`echo $courier_version | awk -F '.' '{print $1}'`"
        courier_minor_version="`echo $courier_version | awk -F '.' '{print $2}'`"
}

get_product_version()
{
        product_version="`cat /usr/local/psa/version`"
        product_major_version="`echo $product_version | awk -F '.' '{print $1}'`"
}

get_openssl_version()
{
        openssl_version="`openssl version | awk '{print $2}' | sed 's|^\([[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*\).*$|\1|'`"
        openssl_major_version="`echo $openssl_version | awk -F '.' '{print $1}'`"
        openssl_minor_version="`echo $openssl_version | awk -F '.' '{print $2}'`"
        openssl_revision_version="`echo $openssl_version | awk -F '.' '{print $3}'`"
}

is_tls_new()
{
get_openssl_version

if [ "$openssl_major_version" -ge 1 -a "$openssl_minor_version" -ge 0 -a "$openssl_revision_version" -ge 1 -o "$openssl_minor_version" -ge 1 -a "$openssl_revision_version" -ge 0 ]; then
    echo "true"

fi
}


get_dovecot_version()
{
        dovecot_version="`dovecot --version`"
        dovecot_major_version="`echo $dovecot_version | awk -F '.' '{print $1$2}'`"
        dovecot_minor_version="`echo $dovecot_version | awk -F '.' '{print $3}'`"
}

# -*- vim:ft=sh

set_v3_params()
{
    module_prefix="v3"
    description="Processing the SSLv3 POODLE vulnerability."
}

fix_apache_v3()
{
        echo "---> Fix SSL configuration for apache web server..."
        set_apache_params
        do_backup $apache_cfg
        set_value "SSLHonorCipherOrder" "On" " " " " $apache_cfg
        set_value "SSLProtocol" "all -SSLv2 -SSLv3" " " " " $apache_cfg

        service_restart "$service_cmd" "1"
}

fix_nginx_v3_old()
{
    echo "---> Fix SSL configuration for nginx web server..."

    nginx_pool_d="/etc/nginx/plesk.conf.d"
    vhost_cfg_default_d="$psa_d/admin/conf/templates/default"
    vhost_cfg_custom_d="$psa_d/admin/conf/templates/custom"

    ssl_cfg_list="
        /etc/nginx/plesk.conf.d/webmail.conf
        /etc/nginx/plesk.conf.d/server.conf
        $psa_d/admin/conf/templates/default/nginxWebmailPartial.php
        $psa_d/admin/conf/templates/default/domain/nginxDomainVirtualHost.php
        $psa_d/admin/conf/templates/default/server/nginxVhosts.php
    "

    flag=0
    for cfg in $ssl_cfg_list; do
        [ -f "$cfg" ] || continue

        dst_cfg="$cfg"
        if [ -n "`echo $cfg | grep $vhost_cfg_default_d`" ]; then
                dst_cfg="`echo $cfg | sed -e \"s|$vhost_cfg_default_d|$vhost_cfg_custom_d|\"`"
                mkdir -p ${dst_cfg%/*}
                cp $cfg $dst_cfg
        else
                do_backup $dst_cfg
        fi
        sed -i -e "s|^\([[:space:]]*ssl_protocols\).*|\1                TLSv1 TLSv1.1 TLSv1.2;|" $dst_cfg
        flag=1
    done

    [ $flag -eq 0 ] || $psa_d/admin/bin/httpdmng --reconfigure-all

    case $os_name in
        Debian*|Ubuntu*) service_cmd="/etc/init.d/nginx restart" ;;
        *) service_cmd="service nginx restart" ;;
    esac

    service_restart "$service_cmd" "1"
}

fix_nginx_v3()
{
    echo "---> Fix SSL configuration for nginx web server..."
    mysql -uadmin -p`cat /etc/psa/.psa.shadow` psa -e"REPLACE INTO misc VALUES('disablesslv3','true');"

   $psa_d/admin/bin/httpdmng --reconfigure-all

   case $os_name in
        Debian*|Ubuntu*) service_cmd="/etc/init.d/nginx restart" ;;
        *) service_cmd="service nginx restart" ;;
    esac

   service_restart "$service_cmd" "1"

}

fix_postfix_v3()
{
        echo "---> Fix SSL configuration for postfix mail server..."

        [ -f "/etc/postfix/main.cf" ] || return 0
        do_backup /etc/postfix/main.cf

        #options="smtpd_tls_mandatory_protocols tls_low_cipherlist tls_medium_cipherlist tls_high_cipherlist tls_null_cipherlist"
        options="smtpd_tls_mandatory_protocols"

        flag=0
        for opt in $options; do
                protocols="`postconf $opt | awk -F '=' '{print $2}'`"
                echo $protocols | grep -q '!SSLv3'
                if [ $? -ne 0 ]; then
                        postconf ${opt}="${protocols}:!SSLv3"
                        flag=1
                fi
        done

        case $os_name in
        Debian*|Ubuntu*) service_restart "/etc/init.d/postfix restart" "1" ;;
        *) service_restart "service postfix restart" "1" ;;
        esac
}
 
AND

Code: 
fix_courier_v3()
{
        echo "---> Fix SSL accessible protocols for courier-imap mail server"

        cfg_list="/etc/courier-imap/imapd-ssl /etc/courier-imap/pop3d-ssl"

        flag=0
        for cfg in $cfg_list; do
                [ -f "$cfg" ] || continue

                do_backup $cfg

                flag=1
                set_value "TLS_PROTOCOL" "TLSv1+" "=" "" $cfg
        done

        case $os_name in
        Debian*|Ubuntu*)
                service_restart "/etc/init.d/courier-imaps restart" "$flag"
                service_restart "/etc/init.d/courier-pop3s restart" "$flag"
                service_restart "/etc/init.d/courier-imapd restart" "$flag"
        ;;
        *)
                service_restart "service courier-imaps restart" "$flag"
                service_restart "service courier-pop3s restart" "$flag"
                service_restart "service courier-imapd restart" "$flag"
        ;;
        esac
}

fix_dovecot_v3()
{
        echo "---> Fix SSL accessible protocols for dovecot mail server"

        #cfg_list="/etc/dovecot/conf.d/10-plesk-security.conf /etc/dovecot/conf.d/11-plesk-security-pci.conf"
        cfg_list="/etc/dovecot/conf.d/10-plesk-security.conf"

        flag=0
        for cfg in $cfg_list; do
                [ -f "$cfg" ] || continue
                do_backup $cfg
                flag=1
                set_value "ssl_protocols" "!SSLv2 !SSLv3" "=" " " $cfg
        done

        case $os_name in
        Debian*|Ubuntu*) service_cmd="/etc/init.d/dovecot restart" ;;
        *) service_cmd="service dovecot restart" ;;
        esac
        service_restart "$service_cmd" "$flag"
}

fix_proftpd_v3()
{
        echo "---> Disable SSLv3 for FTP service"

        if [ ! -d "/etc/proftpd.d/" ]; then
                mkdir -p /etc/proftpd.d/
                echo "Include /etc/proftpd.d" >> /etc/proftpd.conf
        fi

        cfg="/etc/proftpd.d/60-nosslv3.conf"
        if [ -f "$cfg" ]; then
            do_backup $cfg
        fi

    if [ "$is_tls_new" = 'True' ]; then
        echo "<Global>" >$cfg
        echo "<IfModule mod_tls.c>" >>$cfg
        echo "TLSProtocol TLSv1 TLSv1.1 TLSv1.2" >>$cfg
        echo "TLSCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" >>$cfg
        echo "</IfModule>" >> $cfg
        echo "</Global>" >> $cfg
    else
        echo "<IfModule mod_tls.c>" >>$cfg
        echo "TLSProtocol SSLv23" >>$cfg
        echo "TLSCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" >>$cfg
        echo "</IfModule>" >> $cfg
    fi 
}

fix_cp_server_v3()
{
    echo "---> Fix Plesk Panel web service"

    cfg="/etc/sw-cp-server/conf.d/pci-compliance.conf"

    if [ -f "$cfg" ]; then
        do_backup $cfg

        grep -q "^[[:space:]]*ssl_protocols" $cfg
        if [ $? -eq 0 ]; then
                sed -i -e "s|^\([[:space:]]*ssl_protocols\).*|\1                TLSv1 TLSv1.1 TLSv1.2;|" $cfg
        else
                echo  "ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;" >> $cfg
        fi
    else
        echo  "ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;" >> $cfg
        echo  "ssl_ciphers                 HIGH:!aNULL:!MD5;" >> $cfg
        echo  "ssl_prefer_server_ciphers   on;" >> $cfg
    fi

    service_restart "/etc/init.d/sw-cp-server restart" "1"
}

fix_qmail_v3()
{
    echo "---> Disable SSLv3 in Qmail MTA"
    cfg="/var/qmail/control/tlsserverciphers"
    [ -d "/var/qmail/control" ] || return 0
    if [ -f "$cfg" ]; then
        do_backup $cfg
    fi
    echo "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" > $cfg
}


# -*- vim:ft=sh

# https://www.howtoforge.com/tutorial/how-to-protect-your-debian-and-ubuntu-server-against-the-logjam-attack/
# https://www.8px.pl/linux-debian-ununtu-ochrona-przed-logjam-nginx-apache-postfix/

# Checking guide:
# http://security.stackexchange.com/questions/89773/how-to-check-if-a-server-is-not-vulnerable-to-logjam

set_dh_params()
{
        module_prefix="dh"
        dh_certfile="/usr/local/psa/etc/dhkey.pem"
        description="Processing the Diffie-Hellman vulnerability."
}

dh_prepare()
{
        create_dhkey
}

create_dhkey()
{
        [ -f "$dh_certfile" ] && return

        curdir="`pwd`"
        cd ${dh_certfile%/*}
        dd if=/dev/urandom of=dhparams.rand.tmp count=1 2>/dev/null
        openssl dhparam -rand dhparams.rand.tmp -out ${dh_certfile##*/} 2048
        rm -f /usr/share/dhparams.rand.tmp
        chown root:root $dh_certfile
        chmod 0644 $dh_certfile
        cd $curdir
}

fix_apache_dh()
{
        # Taken from:
        # http://serverfault.com/questions/693241/how-to-fix-logjam-vulnerability-in-apache-httpd

        echo "---> Fix SSL configuration for apache web server..."

        set_apache_params
        get_openssl_version
        do_backup $apache_cfg

        # Add new parameter in config file for apache >= 2.4.8 and openssl >= 1.0.2
        if [ "$apache_version_major" -ge 4 -a "$apache_version_minor" -ge 8 -a "$openssl_major_version" -ge 1 -a "$openssl_revision_version" -ge 2 ]; then
                set_value "SSLOpenSSLConfCmd" "DHParameters \"$dh_certfile\"" " " " " $apache_cfg
        fi

        # Add Ciphers list for old apache versions
        set_value "SSLCipherSuite" "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" " " " " $apache_cfg

        service_restart "$service_cmd" "1"
}
 
AND

Code: 
fix_nginx_dh()
{
    echo "---> Fix SSL configuration for nginx web server..."

    nginx_pool_d="/etc/nginx/plesk.conf.d"
    vhost_cfg_default_d="$psa_d/admin/conf/templates/default"
    vhost_cfg_custom_d="$psa_d/admin/conf/templates/custom"

    ssl_cfg_list="
    /etc/nginx/plesk.conf.d/webmail.conf
    /etc/nginx/plesk.conf.d/server.conf
    $psa_d/admin/conf/templates/default/nginxWebmailPartial.php
    $psa_d/admin/conf/templates/default/domain/nginxDomainVirtualHost.php
    $psa_d/admin/conf/templates/default/server/nginxVhosts.php
    "
    custom_cfg_list="
    $vhost_cfg_custom_d/nginxWebmailPartial.php
    $vhost_cfg_custom_d/domain/nginxDomainVirtualHost.php
    $vhost_cfg_custom_d/server/nginxVhosts.php
    "

    flag=0
    
    for dst_list in $custom_cfg_list; do
        if [ -f $dst_list ]; then
            do_backup $dst_list
        fi
    done
    for cfg in $ssl_cfg_list; do
        [ -f "$cfg" ] || continue

        dst_cfg="$cfg"
        if [ -n "`echo $cfg | grep $vhost_cfg_default_d`" ]; then
                dst_cfg="`echo $cfg | sed -e \"s|$vhost_cfg_default_d|$vhost_cfg_custom_d|\"`"
                mkdir -p ${dst_cfg%/*}
                cp $cfg $dst_cfg
        else
                do_backup $dst_cfg
        fi
        exists="`cat $dst_cfg | grep  'ssl_dhparam'`"
        if [ -n "$exists" ]; then
                sed -i -e "s|^\([[:space:]]*\)\(ssl_dhparam.*\)$|\1ssl_dhparam          ${dh_certfile};|" $dst_cfg
        else
                sed -i -e "s|^\([[:space:]]*\)\(ssl_protocols.*\)$|\1\2\n\1ssl_dhparam          ${dh_certfile};|" $dst_cfg
        fi
        flag=1
    done

    [ $flag -eq 0 ] || $psa_d/admin/bin/httpdmng --reconfigure-all

    case $os_name in
        Debian*|Ubuntu*) service_cmd="/etc/init.d/nginx restart" ;;
        *) service_cmd="service nginx restart" ;;
    esac

    service_restart "$service_cmd" "1"
}

fix_postfix_dh()
{
        echo "---> Fix SSL configuration for postfix mail server..."

        [ -f "/etc/postfix/main.cf" ] || return 0
        do_backup /etc/postfix/main.cf

        postconf smtpd_tls_mandatory_exclude_ciphers="aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA"
        postconf smtpd_tls_dh1024_param_file="$dh_certfile"

        case $os_name in
        Debian*|Ubuntu*) service_restart "/etc/init.d/postfix restart" "1" ;;
        *) service_restart "service postfix restart" "1" ;;
        esac
}

fix_courier_dh()
{
        echo "---> Fix SSL accessible protocols for courier-imap mail server"

        cfg_list="/etc/courier-imap/imapd-ssl /etc/courier-imap/pop3d-ssl"

        get_courier_version

        flag=0
        for cfg in $cfg_list; do
                [ -f "$cfg" ] || continue
                if [ "$courier_major_version" -ge 4 -a "$courier_minor_version" -ge 15 ]; then
                        do_backup $cfg
                        set_value "TLS_DHPARAMS" "${dh_certfile}" "=" "" $cfg
                        flag=1
                fi
         done

         [ -f "/usr/sbin/mkdhparams" ] ||return 0
            do_backup /usr/sbin/mkdhparams

            sed -i s,BITS=768,BITS=2048,g /usr/sbin/mkdhparams
            sed -i /"chmod 600"/d /usr/sbin/mkdhparams

        case $os_name in
        Debian*|Ubuntu*)
                service_restart "/etc/init.d/courier-imaps restart" "$flag"
                service_restart "/etc/init.d/courier-pop3s restart" "$flag"
                service_restart "/etc/init.d/courier-imapd restart" "$flag"
        ;;
        *)
                service_restart "service courier-imaps restart" "$flag"
                service_restart "service courier-pop3s restart" "$flag"
                service_restart "service courier-imapd restart" "$flag"
        ;;
        esac
}

fix_dovecot_dh()
{
        which dovecot 1>/dev/null 2>&1 || return

        echo "---> Fix SSL accessible protocols for dovecot mail server"

        get_dovecot_version

        #cfg_list="/etc/dovecot/conf.d/10-plesk-security.conf /etc/dovecot/conf.d/11-plesk-security-pci.conf"
        cfg_list="/etc/dovecot/conf.d/10-plesk-security.conf"

        flag=0
        for cfg in $cfg_list; do
                [ -f "$cfg" ] || continue
                do_backup $cfg
                flag=1
                set_value "ssl_cipher_list" "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" "=" " " $cfg
                if [ "$dovecot_major_version" -ge "22" ]; then
                        if [ "$dovecot_minor_version" -ge "6" ]; then
                                set_value "ssl_prefer_server_ciphers" "yes" "=" " " $cfg
                        fi

                        if [ "$dovecot_minor_version" -ge "7" ]; then
                                set_value "ssl_dh_parameters_length" "2048" "=" " " $cfg
                        fi
                fi
        done

        case $os_name in
        Debian*|Ubuntu*) service_cmd="/etc/init.d/dovecot restart" ;;
        *) service_cmd="service dovecot restart" ;;
        esac
        service_restart "$service_cmd" "$flag"
}

# Add new parameter in config file for proftp if openssl >= 1.0.1
get_openssl_version

if [ "$openssl_major_version" -ge 1 -a "$openssl_minor_version" -ge 0 -a "$openssl_revision_version" -ge 1 ]; then

fix_proftpd_dh()
{
        echo "---> Fix SSLv3(DH) for FTP service"

        cfg="/etc/proftpd.d/60-nosslv3.conf"
        ciphers="ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
      
       if [ -f "$cfg" ]; then
        do_backup $cfg
       fi

        if [ ! -f "$cfg" ]; then
                echo "<Global>" > $cfg
                echo "<IfModule mod_tls.c>" >> $cfg
                echo "TLSProtocol TLSv1 TLSv1.1 TLSv1.2" >> $cfg
                echo "TLSCipherSuite $ciphers" >> $cfg
                echo "TLSDHParamFile  ${dh_certfile}" >> $cfg
                echo "</IfModule>" >> $cfg
                echo "</Global>" >> $cfg
                return
        fi

        if grep -q "^[[:space:]]*TLSCipherSuite" $cfg; then
                sed -i -e "s|^\([[:space:]]*\)\(TLSCipherSuite.*\)$|\1TLSCipherSuite ${ciphers}|" $cfg
        else
                sed -i -e "s|^\([[:space:]]*\)\(TLSProtocol.*\)$|\1\2\n\1TLSCipherSuite ${ciphers}|" $cfg
        fi

        if ! grep -q "^[[:space:]]*TLSDHParamFile" $cfg; then
                sed -i -e "s|^\([[:space:]]*\)\(TLSProtocol.*\)$|\1\2\n\1TLSDHParamFile ${dh_certfile}|" $cfg
        fi
}
fi
 
AND

Code: 
fix_cp_server_dh()
{
        echo "---> Fix Plesk Panel web service"

        get_product_version

        # Fix cp-server (lighthttpd)
        if [ "$product_major_version" -eq 11 ]; then
                cfg="/usr/local/psa/admin/conf/ssl-conf.sh"
                cfile="/usr/local/psa/admin/conf/cipher.lst"
                ciphers="ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
                echo "$ciphers" > $cfile
                
        if [ -f "$cfg" ]; then
            do_backup $cfg
        fi
                if grep -q "^[[:space:]]*.*ssl\.dh-file" $cfg; then
                        sed -i -e "s|^\([[:space:]]*\)\(.*ssl\.dh-file.*\)$|\1ssl.dh-file = \"${dh_certfile}\"\'|" $cfg
                else
                        sed -i -e "s|^\([[:space:]]*\)\(.*ssl\.engine.*\)$|\1\2\n\1echo \'ssl.dh-file = \"${dh_certfile}\"\'|" $cfg
                fi
                $cfg
        else
                # Fix cp-server (nginx)
                cfg="/etc/sw-cp-server/conf.d/pci-compliance.conf"

                if [ -f "$cfg" ]; then
                        do_backup $cfg

                        if grep -q "^[[:space:]]*ssl_dhparam" $cfg; then
                                sed -i -e "s|^\([[:space:]]*\)\(ssl_dhparam.*\)$|\1ssl_dhparam          ${dh_certfile};|" $cfg
                        else
                                echo "ssl_dhparam               ${dh_certfile};" >> $cfg
                        fi
                else
                        echo  "ssl_protocols    TLSv1 TLSv1.1 TLSv1.2;" >> $cfg
                        echo  "ssl_ciphers              HIGH:!aNULL:!MD5;" >> $cfg
                        echo  "ssl_prefer_server_ciphers on;" >> $cfg
                        echo  "ssl_dhparam              ${dh_certfile};" >> $cfg
                fi
        fi

        service_restart "/etc/init.d/sw-cp-server restart" "1"
}

fix_qmail_dh()
{
    echo "---> Disable SSLv3 in Qmail MTA"
    cfg="/var/qmail/control/tlsserverciphers"
    [ -d "/var/qmail/control" ] || return 0
    if [ -f "$cfg" ]; then
        do_backup $cfg
    fi
    echo "ALL:!ADH:!LOW:!SSLv2:!SSLv3:!EXP:+HIGH:+MEDIUM" > $cfg
}


# -*- vim:ft=sh

export LANG="C"
export LC_ALL="C"

mode="$1"
service="$2"

psa_d="/usr/local/psa"
services="apache nginx postfix courier dovecot proftpd cp_server qmail"
modules="v3 dh"

usage()
{
        echo "USAGE: $0 [mode [service]]"
        for mode in $modules; do
                set_${mode}_params
                echo "       $0 $mode [service] '$description'"
        done
        echo ""
        echo "SERVICES:"
        for service in $services; do
                echo "        $service"
        done
        exit 0
}

[ "$mode" = "help" ] && usage

get_os

[ -n "$mode" ] && modules="$mode"

flag=0
for module in $modules; do
        if is_function set_${module}_params; then
                set_${module}_params
                echo ""
                echo "${description}.."
        fi

        is_function ${module}_prepare && ${module}_prepare

        for mod in $services; do
                if [ -n "$service" ]; then
                        if [ "$service" = "$mod" ]; then
                                if is_function fix_${mod}_${module}; then
                                        fix_${mod}_${module}; flag=1; break
                                fi
                        fi
                        continue
                fi
                if is_function fix_${mod}_${module}; then
                        fix_${mod}_${module}; flag=1
                fi
        done
done

[ $flag -eq 0 ] && usage

exit 0
 
You must log in or register to reply here.

Similar threads

C
Resolved Plesk Obsidian Version 18.0.56 Update #4 on Ubuntu 22.04.3 LTS ModSecurity upload error on WordPress
Replies
1
Views
708
copec
C
kaw.one
Question (VPS) Cloudflare, Gmail and Other Plesk Panel 8443 (2 minutes - slow read)
Replies
1
Views
642
kaw.one
kaw.one
J
Resolved Can't login at Plesk admin panel (Plesk Onyx 17.0.17)
Replies
2
Views
148
JVG
J
J
Issue Drweb won't start in new Debian12 installation
Replies
4
Views
333
Peter Debik
P
V
Issue RoundCube error : Oops... something went wrong!
Replies
2
Views
1K
Peter Debik
P
Back
Top