Update your OpenSSL now!

Same here! All our checks / updates are done. LSOF says nothing found. But if we check the :2222 port then we get message "Vulnerable".

EDIT: This is only applicable to our Debian 7 (Wheezy) servers.

Is this a bug somewhere in Debian and/or DirectAdmin?

Marwen said:
i have try to reinstall DA with the latest prerelease but same message on a debian 7 64bit OS when i check the port 2222
Server is vulnerable, please upgrade software ASAP
Click to expand...
 
Yes i can confirm.

Only the DA Port 2222 on Debian7 gives a "Vulnerable" Back.

All others Systems Debian 5 Debian 6 and Centos 6.5 shows after upgrade openssl and restart "OK" after the 2222 Port check.

Here is some data we pulled from the server memory:
(we put YELLOW SUBMARINE there, and it should not have come back)

([]uint8) {
00000000 02 00 79 68 65 61 72 74 62 6c 65 65 64 2e 66 69 |..yheartbleed.fi|
00000010 6c 69 70 70 6f 2e 69 6f 59 45 4c 4c 4f 57 20 53 |lippo.ioYELLOW S|
00000020 55 42 4d 41 52 49 4e 45 95 fa 97 dc f7 ef 79 1a |UBMARINE......y.|
00000030 24 b9 05 6e a2 f9 80 54 97 27 71 5a 0d 31 14 78 |$..n...T.'qZ.1.x|
00000040 5e c8 78 83 41 7e 7d e8 fd cf b8 f8 a6 00 47 14 |^.x.A~}.......G.|
00000050 c9 50 70 c2 d5 8e 65 bd c0 9d 82 c7 52 ff 1a a4 |.Pp...e.....R...|
00000060 c7 e9 69 c1 bb 19 ba 12 c6 e6 39 dd 86 5b 5f 8d |..i.......9..[_.|
00000070 2d 53 5f 59 1b 31 1d 88 21 59 4c 54 80 c1 6c 2b |-S_Y.1..!YLT..l+|
00000080 29 cc 06 45 fe 43 69 26 95 67 a5 f9 |)..E.Ci&.g..|
}
 
Last edited:
wattie said:
FreeBSD users should be unaffected as they use OpenSSL 0.9.8y built-in.

Just in case, if you eventually compiled OpenSSL from ports (usually people don't do that), check your ports tree for it and see if it's up to date..
Click to expand...
It's actually a very bad idea to use OpenSSL from base as it doesn't support TLS 1.2 and thus only offers weak encryption.
 
Regarding Debian 7, you should ring DA up so that they deliver an update ASAP and you should shut down your DA service. Failure to do so will leak your customers' passwords to anybody who targets your servers. There are automated tools out there collecting sessions, passwords and possibly keys...

Also, there are snort rules which can be used to autoban scanners.
 
Centos 6.5 , Debian 5 and 6 works.

We need a solution for Directadmin on debian 7.

Same Server:
The https service on Port 443 is after the openssl update "OK"
The DA service on Port 2222 shows "Vulnerable"

@John.
It is possbile that DA is compiled self in this version with the old openssl libs ?

Mario
 
Last edited:
Just a heads up that you may want to update your scanners to also look for the vulnerability in servers only supporting TLS1.1. This may be the case on some older OS versions.
 
Hello,

For Debian 7, what I've done on the build boxes:
Code: 
apt-get update
apt-get upgrade libssl1.0.0
and then confirmed the openssl version is this:
Code: 
root@debian7-64:/usr/local/directadmin# [B]dpkg -l | grep "openssl"[/B]
ii  openssl                            [B]1.0.1e-2+deb7u6[/B]               amd64        Secure Socket Layer (SSL) binary and related cryptographic tools
where the -2+deb7u6 is new.
And followed that up with a full recompile of the DA binaries.

I've put up the tar.gz files for both debian 7 32-bit and 64-bit in the pre-release section
If you guys want to give them a try, and confirm if they work for you... I can then put them into the update.tar.gz files for the production binary releases, so people can update with daupdate.
We'll probably be releasing a new version of DA soon anyway, so we support apache 2.4.9 on CentOS 5.

John
 
Hey John.

Thanks a lot.

dpkg -l | grep "openssl"
ii openssl 1.0.1e-2+deb7u6 amd64 Secure Socket Layer (SSL) binary and related cryptographic tools

was already done in the beginning of this week.

now i have recompile the DA from the pre-release section.

WORKS WELL !!!!!! :)

All good, xxxxx:2222 seems fixed or unaffected!
 
I update and after that my ssh server not working!!! What I can to do???

Failed to restart the "sshd" service.
Cannot start/stop/restart service: Stopping sshd: [FAILED]
Starting sshd: OpenSSL version mismatch. Built against 10000003, you have 1000107f
[FAILED]

And in directadmin error: An error has occurred

Details

/sbin/service sshd start 2>&1

How I can fix this? Please help me...
 
DirectAdmin Support said:
We'll probably be releasing a new version of DA soon anyway, so we support apache 2.4.9 on CentOS 5.
Click to expand...

Will the upcoming DA version have Apache 2.4.9 in Custombuild 2.0? I really want to upgrade Apache as soon as possible. I am running CentOS 6.5 64bit, CB 2.0, PHP 5.5.11 (5.4.27 on one box) and mod_php + mod_ruid2. I hope we soon can get Apache 2.4.9, because there was some security fixes in that version.
 
Ok, why am I getting
The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B
Click to expand...
on Apache 2.2.27 and 2.2.16?
even though I'm using
SSLProtocol All -SSLv2 -SSLv3
Click to expand...
as per to that url Marwen gave?

by the way, my openssl version is 0.9.8o, but it will not upgrade.
 
Last edited:
Did you try the settings from the page?

SSLProtocol All -SSLv2 -SSLv3

SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4

in the

/etc/httpd/conf/extra/httpd-ssl.conf

after restart apache ?
 
Last edited:
Marwen said:
Good Docu to get an A or A+ for SSL like directadmin.com :)

https://www.ssllabs.com/ssltest/analyze.html?d=directadmin.com

https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html

Cheers Mario
Click to expand...
  1. You want A+ and a good cipher order? Use this: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
  2. Don't forget to add the cypher suite in all your software configs. Apache is just one of them.
  3. You can't use the same suites everywhere as things like some email clients need broken ciphers to be able to establish a connection
  4. DA itself on port 2222, does not support the best ciphers due to this bug
 
interfasys said:
  1. You want A+ and a good cipher order? Use this: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
  2. Don't forget to add the cypher suite in all your software configs. Apache is just one of them.
  3. You can't use the same suites everywhere as things like some email clients need broken ciphers to be able to establish a connection
  4. DA itself on port 2222, does not support the best ciphers due to this bug
Click to expand...

Thanks for these ciphers, indeed gives a good score.
 
On CentOS 6.5 64bit servers (CB 2.0), after upgrading OpenSSL using yum, I get this notice in server main Apache error log when restarting Apache:

Code: 
[lbmethod_heartbeat:notice] [pid 30970] AH02282: No slotmem from mod_heartmonitor

I can't be sure I did not have this notice before upgrade of OplenSSL, however I don't think so, I can't remember seing that notice before.

I don't think this is a problem, I think it can be ignored, however I wanted to post it here, so if other have opinions about it, can share it here. Thanks.
 
You must log in or register to reply here.
Back
Top