port 8443 pcsync-https with medium strength SSL ciphers

[KalaniY]

Hello:
I hope someone can take me out of this big hole. Recently, I performed a PCI scan and found port 8443 pcsync-https with medium strength SSL ciphers.

Synopsis : The remote service supports the use of medium strength SSL ciphers. Description :
The remote host supports the use of SSL ciphers that offer medium strength encryption, which
we currently regard as those with key lengths at least 56 bits and less than 112 bits. Solution:
Reconfigure the affected application if possible to avoid use of medium strength ciphers.


Please anyone could provide me some handful info how to fix it? Thank you all.

 

[IgorG]

This workaround will help you.

 

[KalaniY]

Thanks for your help! I did applied all of these PCI compliance to the new Plesk 9.2.3(9.2.3-rhel5.build92091015.22) with all updated applications. The problems are same unless closed all 8443 port.

If stop psa service only, and scan again, it showing...

8443 TCP pcsync-https with medium strength SSL ciphers.

Description :
The remote host supports the use of SSL ciphers that offer medium strength encryption, which
we currently regard as those with key lengths at least 56 bits and less than 112 bits.
Solution:
Reconfigure the affected application if possible to avoid use of medium strength ciphers.

Any idea?

 

[IgorG]

IgorG,

The linked workaround does not appear to have anything to do with the stated problem. I am having the same problem:

Right, if you read carefully provided solution for other problem. This problem with SSL ciphers under developer's investigation now and as I know should be fixed in the next Plesk version.

 

[ManagingD]

I'm using Plesk 8.6 and my PCI scan vendor has failed my server. When will the problem "The remote service supports the use of medium strength SSL" be remedied?

 

[KalaniY]

Make it PCI compliance

Please make this article for tackle PCI compliance.

Apply all these change listening at http://www.md3v.com/pci-compliance-for-parallels-plesk

Apply all these change listening at http://kb.odin.com/en/6228

Delete Apache directories: var/www/

Breaking News for PHP Version Checkon on Dec 02, 2009 by McAfee Secure. Upgrade to PHP 5.3.6 ASAP.(Critical In PCI)

Perform a task in SSH with FUSER -K 8443/TCP if 8443 TCP pcsync-https with medium strength SSL ciphers

Please sharing your experiences for how to make PCI compliance.

 

[DraganM]

Lots of posts abount making plesk PCI complient

Guys just do a search on Google and you will come up with a bunch of sysadmin posts of what to do to make your plesk pass PCI compliance:

Take a look here:
http://linuxhostingsupport.net/blog/?cat=88

Hopefully new plesk versions will have these applied by default (It's a bit of pain having to apply these to all new plesk installs) ..

 

[ManagingD]

Delete Apache directories: var/www/?

 

[Gavin N]

Hi,

Am having problems here too. Having read the above posts it seems they have not been updated to deal with the problems relating to port 8443 pcsync-https with medium strength SSL ciphers. They all refer to earlier problems with sslv2.

On my Centos5 installation with plesk i have found the following configuration files relating to ssl
/usr/local/psa/admin/conf/httpsd.custom.include
/etc/httpd/conf.d/zz010_psa_httpd.conf
/etc/httpd/conf.d/ssl.conf
/usr/local/psa/admin/conf/httpsd.custom.include
/usr/local/psa/admin/conf/openssl.conf

I have changed all the details to :

ServerTokens Prod
UserDir disabled
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite HIGH:!MEDIUM:!SSLv2:!LOW:!EXP:!aNULLSTRENGTH
ErrorDocument 417 "Expect not supported"

as per the details on openssl.org

Now testing this with :
openssl s_client -connect mydomain.com:443 -cipher EXP:MEDIUM

works fine in preventing the connection. However changing to

openssl s_client -connect mydomain.com:8443 -cipher EXP:MEDIUM it allows the connection.

It seems that plesk may use its own HTTP daemon for the CP as compared to the one for serving web content. But i'm stuffed if i can find it.

This requirment for PCI DSS was added on 25th November according to my provider hence these older "solutions" although great for the earlier issues do not appear to present a solution to the current one.

Any thoughts guys ?

 

[Gavin N]

Same problems here

Hi,

Am having problems here too. Having read the above posts it seems they have not been updated to deal with the problems relating to port 8443 pcsync-https with medium strength SSL ciphers. They all refer to earlier problems with sslv2.

On my Centos5 installation with plesk i have found the following configuration files relating to ssl
/usr/local/psa/admin/conf/httpsd.custom.include
/etc/httpd/conf.d/zz010_psa_httpd.conf
/etc/httpd/conf.d/ssl.conf
/usr/local/psa/admin/conf/httpsd.custom.include
/usr/local/psa/admin/conf/openssl.conf

I have changed all the details to :

ServerTokens Prod
UserDir disabled
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite HIGH:!MEDIUM:!SSLv2:!LOW:!EXP:!aNULLSTRENGTH
ErrorDocument 417 "Expect not supported"

as per the details on openssl.org

Now testing this with :
openssl s_client -connect mydomain.com:443 -cipher EXP:MEDIUM

works fine in preventing the connection. However changing to

openssl s_client -connect mydomain.com:8443 -cipher EXP:MEDIUM it allows the connection.

It seems that plesk may use its own HTTP daemon for the CP as compared to the one for serving web content. But i'm stuffed if i can find it.

This requirment for PCI DSS was added on 25th November according to my provider hence these older "solutions" although great for the earlier issues do not appear to present a solution to the current one.

Any thoughts guys ?

 

[codesmith]

Argh - this is one of the main reasons we upgraded to Plesk 9! This is the last thing we're failing on the PCI compliance test. Igor - it seems we can't fix this ourselves? Any hotfix? We have to wait until the next release? When will that be? Trying to get this sorted out ASAP. Thanks.

 

[IgorG]

Argh - this is one of the main reasons we upgraded to Plesk 9! This is the last thing we're failing on the PCI compliance test. Igor - it seems we can't fix this ourselves? Any hotfix? We have to wait until the next release? When will that be? Trying to get this sorted out ASAP. Thanks.

I have prepared recently list of most often complaints regarding PCI complaints, security questions, vulnerability issues, etc. and forwarded it to development team. All that I know is that it should be fixed and corrected in the next versions of Plesk. I have no any ETA but I'm sure that it will be corrected and fixed obligatory.
BTW, Why it so disturbs you? Is it really that hackers crack your Plesk so often? Or what?

 

[Gavin N]

Hi Guys,

Firstly sorry for the double post above, missed the moderator authorisation details.

I am well aware that the issue raised by the PCI DSS scan is virtually pointless in terms of a security hole, yes Igor you are right plesk has never been hacked on my systems. However this in itself does not appease the PCI DSS scanning companies, who for the most part don't care and stick purely to the results coming out of nessus (the testing software used by the vast majority).
A minority of PCI DSS providers (alas not mine) will see this particular issue as trivial and allow an exception until a fix is produced. Others (mine included - Security metrics) are not so open minded.

Igor, the issue is that if a site or server fails the PCI DSS - and this issue on its own now results in a failing grade (it has a level 5 warning). When you receive a failing grade this information is passed directly to our merchant bank / credit card processing company informing them of such. Therefore the merchant (us) becomes open to large fines should a breech occur.

As we covered earlier this is very unlikely if this flaw is the only one present (and i realize that the vast majority of PCI DSS is folly anyway as you can pass with a master password of admin) however it can cause panic to a lot of business who are not as aware of the risks and see the fail grade as a very big problem.

I have in the interim found a workaround - not for solving the problem. (I now believe that in plesk 9 the http daemon is in perl? - igor is this right ? and therefore difficult to change settings simply).

The work around that i have found is possible as my host has a configurable firewall at a lower level than plesk. I access it through their web interface and not plesks. This allows me to block all tcp to port 8443 and thus run the PCI scans and pass. When i want to access plesk i have to go in, remove the rule and then log in (i don't always have a fixed IP which would be the other work around). Obviously if you try this in the plesk firewall you will have major issues!.

Hope this is of some help. I do look forward to the fix.

 

[codesmith]

We have clients on our server who accept credit cards and are required by their credit card company to have a PCI compliant website. So we have to jump through the hoops. Blocking access to port 8443 isn't feasable since many clients have to access Plesk who have various dynamic ips, etc. We have to have this fixed asap.

 

[ManagingD]

This approach seems to cover ports 8443, 443, 993, 995 and 465 in terms of shutting off the offending SSLv2 protocol. However, it would have been much easier for all if Plesk had incorporated these changes in the regular release cycle, rather than everybody having to tolerate an insecure server or manually make the changes below as I have done.
#--------------------------------------------------
# Make a Plesk server PCI Compliance
#--------------------------------------------------
#
#--------------------------------------------------
# Turn off SSLv2 for port 8443 (Plesk port)
#--------------------------------------------------
# create a file
# /usr/local/psa/admin/conf/httpsd.custom.include
# and insert the following lines:
# SSLProtocol all -SSLv2
# SSLCipherSuite ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL
# Once you insert the above lines, restart the ‘psa’ service
# and run the ‘openssl’ command to test:
# service psa stopall
# service psa start all
# openssl s_client -connect localhost:8443 -ssl2
#--------------------------------------------------
# Turn off SSLv2 for Apache SSL port 443
#--------------------------------------------------
# Edit the file:
# /etc/httpd/conf.d/ssl.conf
# and insert the following lines:
# SSLProtocol all -SSLv2
# SSLCipherSuite ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL
# Once you insert the lines, restart the ‘httpd’ service and run the ‘openssl’ command to test:
# service httpd restart
# openssl s_client -connect localhost:443 -ssl2
#--------------------------------------------------
# Edit courier-imap(s) to turn off SSLv2 for ports 993(IMAP)/995(POP3)
#--------------------------------------------------
# Edit the following files
# vi /etc/courier-imap/imapd-ssl
# vi /etc/courier-imap/pop3d-ssl
# comment the line which starts with “TLS_CIPHER_LIST†and insert the following line:
# TLS_CIPHER_LIST="ALL:!ADH:RC4+RSA:!SSLv2:!LOWSTRENGTH"
# restart the ‘courier-imap’ service and execute the ‘openssl’ command to test:
# service courier-imap restart
# openssl s_client -connect localhost:993 -ssl2
# openssl s_client -connect localhost:995 -ssl2
#--------------------------------------------------
# To turn off SSLv2 for port 465(SMTPS)
#--------------------------------------------------
# Create the following files:
# vi /var/qmail/control/tlsserverciphers
# vi /var/qmail/control/tlsclientciphers
# and insert the following code:
# ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
# Once done, restart the ‘qmail’ service and test the connection on SSLv2:
# service qmail restart
# openssl s_client -connect localhost:465 -ssl2
# This will disable SSLv2 for all the SSL ports of your server.
#--------------------------------------------------

 

[KalaniY]

Make it PCI Compliance

I have McAfee PCI and Security Metrics PCI, both are passing PCI for my Plesk 9.2.3

Modifying the following...

Step 1: Upgrading PHP version to 5.2.11 or higher.

Step 2: Add.... TLS_CIPHER_LIST="+HIGH:+MEDIUM:-SSLv2:-LOW:-EXP:!aNULLSTRENGTH"
To..../etc/courier-imap/imapd-ssl AND /etc/courier-imap/pop3d-ssl

Step 3: Create two text file and type....ALL:-ADH:!kEDH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
And re-name it to....tlsserverciphers AND tlsclientciphers
Put it in..../var/qmail/control/

Step 4: Replaced SSLProtocol AND SSLCipherSuite
WITH...SSLProtocol -ALL +SSLv3 +TLSv1
WITH...SSLCipherSuite ALL:-ADH:!kEDH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
In..../etc/httpd/conf.d/ssl.conf

Step 5: Install a firewall, close all port except 21,22,25,80,110,143,443,8443.
Note, you can disable or allow port 21 by edit /etc/xinetd.d/ftp_psa
Set disable = yes in /etc/xinetd.d/ftp_psa WHEN YOU NEED TO HAVE PCI SCAN(reboot server)

Step 6: Close port 8443 by SSH command, type....fuser -k 8443/tcp WHEN YOU NEED TO HAVE PCI SCAN(reboot server)

Step 7: Don't put robots.txt in your website directories. Delete Apache directories except HTML folder. Delete cgi-bin in your website ROOT directories. /var/www/vhosts/YOUR SITE

Cheerrrrrrrrrrrrrrrrrrrrrrrrrs. You are PCI Compliance. I LOVE PLESK

 

[codesmith]

The steps posted by ManagingD are probably for Plesk versions prior to 9. The first step for securing the 8443 Plesk port is definitely wrong as it seems that Plesk 9 uses it's own webserver and not a user configurable Apache instance. And the qmail stuff may not apply as Plesk 9 defaults to using postfix.

 

[ManagingD]

Solution for those using Plesk 8.6

In reply to codesmith, I recently upgraded from CentOS 5.3 to CentOS 5.4 and I'm using Plesk 8.6 on this server to host an OsCommerce shopping cart. I tried, without success to upgrade the server to Plesk 9 when it first was released, but the OsCommerce application failed. I reverted back to Plesk 8.6 and all has been OK until recently when my PCI scan vendor {ControlScan] failed my server for SSL issues related to this thread. The PCI issue was the result of Plesk failing to upgrade v8.6 in tandem with CentOS to SSLv3 and my post above was to help to correct this Plesk problem [which it did on my server]. Although not directly related to this thread, logwatch also stopped sending daily cron-generated reports. This was pursued in the CentOS forum and it was discovered that a pure CentOS 5.4 server, without Plesk installed, had no such problem. Therefore, it is also worthy of note, relative to your qmail/postfix comment, that the logwatch issue is likely related to how Plesk has decided to handle/mishandle system level email processing. Thanks for the heads-up on this.

 

[IgorG]

Look at these suggestions about Making Plesk More PCI Compliant.

 

[codesmith]

Hi Igor - those steps don't address this thread's specific problem of 'port 8443 pcsync-https with medium strength SSL ciphers' in Plesk 9.x right? We can't fix this until a new release is made right? Please let me know if there is something I'm missing. And if you have any updates on when this problem will be fixed that would be great. As I said before we need this fixed ASAP. Thanks.